From 7d8c404922854790f5b5d2dce9a7736c896e7bf7 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Sun, 24 Jan 2021 21:06:30 -0800 Subject: [PATCH] generate 1.3.2-rc1 --- charts/kyverno/Chart.yaml | 4 +- charts/kyverno/crds/crds.yaml | 1325 +++++++---------------------- definitions/install.yaml | 1329 +++++++----------------------- definitions/install_debug.yaml | 1325 +++++++---------------------- definitions/kustomization.yaml | 4 +- definitions/release/install.yaml | 1329 +++++++----------------------- 6 files changed, 1216 insertions(+), 4100 deletions(-) diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 400d3bb55f22..37db9841989c 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: kyverno -version: v1.3.1 -appVersion: v1.3.1 +version: v1.3.2-rc1 +appVersion: v1.3.2-rc1 icon: https://github.com/kyverno/kyverno/blob/master/documentation/images/Kyverno_Horizontal.png description: Kubernetes Native Policy Management keywords: diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index fd643821c966..f5bf6f341802 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -26,18 +26,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -45,27 +40,17 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -80,29 +65,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -110,50 +86,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -165,51 +120,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -224,10 +159,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -237,10 +169,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -252,39 +181,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -292,50 +206,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -347,51 +240,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -403,25 +276,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -434,27 +300,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -465,9 +323,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -475,23 +331,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -502,102 +353,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -662,26 +491,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -689,46 +512,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -740,58 +547,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -803,8 +571,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -838,23 +605,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -866,39 +623,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -910,34 +656,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -999,26 +737,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1026,46 +758,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1077,58 +793,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1140,8 +817,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1175,23 +851,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1203,39 +869,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1247,34 +902,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1331,14 +978,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1349,12 +992,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -1366,18 +1007,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1385,14 +1023,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -1401,8 +1035,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1426,8 +1059,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1496,19 +1128,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1516,27 +1142,17 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -1551,29 +1167,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1581,50 +1188,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1636,51 +1222,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1695,10 +1261,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1708,10 +1271,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1723,39 +1283,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1763,50 +1308,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1818,51 +1342,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1874,25 +1378,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1905,27 +1402,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1936,9 +1425,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1946,23 +1433,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1973,102 +1455,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -2136,22 +1596,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2159,46 +1614,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2210,58 +1649,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2273,8 +1673,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2308,23 +1707,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2336,39 +1725,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2380,34 +1758,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2469,26 +1839,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2496,46 +1860,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2547,58 +1895,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2610,8 +1919,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2645,23 +1953,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2673,39 +1971,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2717,34 +2004,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object diff --git a/definitions/install.yaml b/definitions/install.yaml index ed15b3ef9982..0633bcc706bc 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -31,18 +31,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -50,27 +45,17 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -85,29 +70,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -115,50 +91,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -170,51 +125,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -229,10 +164,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -242,10 +174,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -257,39 +186,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -297,50 +211,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -352,51 +245,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -408,25 +281,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -439,27 +305,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -470,9 +328,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -480,23 +336,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -507,102 +358,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -667,26 +496,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -694,46 +517,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -745,58 +552,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -808,8 +576,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -843,23 +610,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -871,39 +628,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -915,34 +661,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1004,26 +742,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1031,46 +763,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1082,58 +798,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1145,8 +822,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1180,23 +856,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1208,39 +874,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1252,34 +907,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1336,14 +983,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1354,12 +997,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -1371,18 +1012,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1390,14 +1028,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -1406,8 +1040,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1431,8 +1064,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1501,19 +1133,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1521,27 +1147,17 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -1556,29 +1172,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1586,50 +1193,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1641,51 +1227,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1700,10 +1266,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1713,10 +1276,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1728,39 +1288,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1768,50 +1313,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1823,51 +1347,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1879,25 +1383,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1910,27 +1407,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1941,9 +1430,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1951,23 +1438,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1978,102 +1460,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -2141,22 +1601,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2164,46 +1619,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2215,58 +1654,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2278,8 +1678,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2313,23 +1712,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2341,39 +1730,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2385,34 +1763,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2474,26 +1844,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2501,46 +1865,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2552,58 +1900,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2615,8 +1924,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2650,23 +1958,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2678,39 +1976,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2722,34 +2009,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -3075,7 +2354,7 @@ spec: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc - image: ghcr.io/kyverno/kyverno:v1.3.1 + image: ghcr.io/kyverno/kyverno:v1.3.2-rc1 imagePullPolicy: Always livenessProbe: failureThreshold: 4 @@ -3118,7 +2397,7 @@ spec: runAsNonRoot: true runAsUser: 1000 initContainers: - - image: ghcr.io/kyverno/kyvernopre:v1.3.1 + - image: ghcr.io/kyverno/kyvernopre:v1.3.2-rc1 imagePullPolicy: Always name: kyverno-pre securityContext: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 9be761e691dc..bebf52231f46 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -31,18 +31,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -50,27 +45,17 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -85,29 +70,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -115,50 +91,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -170,51 +125,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -229,10 +164,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -242,10 +174,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -257,39 +186,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -297,50 +211,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -352,51 +245,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -408,25 +281,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -439,27 +305,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -470,9 +328,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -480,23 +336,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -507,102 +358,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -667,26 +496,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -694,46 +517,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -745,58 +552,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -808,8 +576,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -843,23 +610,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -871,39 +628,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -915,34 +661,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1004,26 +742,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1031,46 +763,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1082,58 +798,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1145,8 +822,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1180,23 +856,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1208,39 +874,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1252,34 +907,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1336,14 +983,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1354,12 +997,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -1371,18 +1012,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1390,14 +1028,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -1406,8 +1040,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1431,8 +1064,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1501,19 +1133,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1521,27 +1147,17 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -1556,29 +1172,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1586,50 +1193,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1641,51 +1227,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1700,10 +1266,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1713,10 +1276,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1728,39 +1288,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1768,50 +1313,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1823,51 +1347,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1879,25 +1383,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1910,27 +1407,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1941,9 +1430,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1951,23 +1438,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1978,102 +1460,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -2141,22 +1601,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2164,46 +1619,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2215,58 +1654,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2278,8 +1678,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2313,23 +1712,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2341,39 +1730,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2385,34 +1763,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2474,26 +1844,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2501,46 +1865,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2552,58 +1900,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2615,8 +1924,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2650,23 +1958,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2678,39 +1976,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2722,34 +2009,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml index e9b452116364..4b2809bc6912 100755 --- a/definitions/kustomization.yaml +++ b/definitions/kustomization.yaml @@ -8,7 +8,7 @@ resources: images: - name: ghcr.io/kyverno/kyverno newName: ghcr.io/kyverno/kyverno - newTag: v1.3.1 + newTag: v1.3.2-rc1 - name: ghcr.io/kyverno/kyvernopre newName: ghcr.io/kyverno/kyvernopre - newTag: v1.3.1 + newTag: v1.3.2-rc1 diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml index ed15b3ef9982..0633bcc706bc 100755 --- a/definitions/release/install.yaml +++ b/definitions/release/install.yaml @@ -31,18 +31,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: ClusterPolicy declares validation, mutation, and generation behaviors - for matching resources. + description: ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -50,27 +45,17 @@ spec: description: Spec declares policy behaviors. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -85,29 +70,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -115,50 +91,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -170,51 +125,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -229,10 +164,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -242,10 +174,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -257,39 +186,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -297,50 +211,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -352,51 +245,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -408,25 +281,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -439,27 +305,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -470,9 +328,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -480,23 +336,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -507,102 +358,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime data. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -667,26 +496,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterPolicyReport is the Schema for the clusterpolicyreports - API + description: ClusterPolicyReport is the Schema for the clusterpolicyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -694,46 +517,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -745,58 +552,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -808,8 +576,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -843,23 +610,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -871,39 +628,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -915,34 +661,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1004,26 +742,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests - API + description: ClusterReportChangeRequest is the Schema for the ClusterReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -1031,46 +763,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1082,58 +798,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1145,8 +822,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -1180,23 +856,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -1208,39 +874,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1252,34 +907,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -1336,14 +983,10 @@ spec: description: GenerateRequest is a request to process generate rule. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1354,12 +997,10 @@ spec: description: Context ... properties: userInfo: - description: RequestInfo contains permission info carried in an - admission request. + description: RequestInfo contains permission info carried in an admission request. properties: clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. + description: ClusterRoles is a list of possible clusterRoles send the request. items: type: string nullable: true @@ -1371,18 +1012,15 @@ spec: nullable: true type: array userInfo: - description: UserInfo is the userInfo carried in the admission - request. + description: UserInfo is the userInfo carried in the admission request. properties: extra: additionalProperties: - description: ExtraValue masks the value so protobuf - can generate + description: ExtraValue masks the value so protobuf can generate items: type: string type: array - description: Any additional information provided by the - authenticator. + description: Any additional information provided by the authenticator. type: object groups: description: The names of groups this user is a part of. @@ -1390,14 +1028,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs. type: string username: - description: The name that uniquely identifies this user - among all active users. + description: The name that uniquely identifies this user among all active users. type: string type: object type: object @@ -1406,8 +1040,7 @@ spec: description: Specifies the name of the policy. type: string resource: - description: ResourceSpec is the information to identify the generate - request. + description: ResourceSpec is the information to identify the generate request. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -1431,8 +1064,7 @@ spec: description: Status contains statistics related to generate request. properties: generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. + description: This will track the resources that are generated by the generate Policy. Will be used during clean up resources. items: description: ResourceSpec contains information to identify a resource. properties: @@ -1501,19 +1133,13 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: 'Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.' properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -1521,27 +1147,17 @@ spec: description: Spec defines policy behaviors and contains one or rules. properties: background: - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude. properties: context: - description: Context defines variables and data sources that - can be used during rule execution. + description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context + description: ContextEntry adds variables and data sources to a rule Context properties: configMap: description: ConfigMapReference refers to a ConfigMap @@ -1556,29 +1172,20 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1586,50 +1193,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1641,51 +1227,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1700,10 +1266,7 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1713,10 +1276,7 @@ spec: type: string type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1728,39 +1288,24 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required. properties: clusterRoles: - description: ClusterRoles is the list of cluster-wide role - names for the user. + description: ClusterRoles is the list of cluster-wide role names for the user. items: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. + description: ResourceDescription contains information about the resource being created or modified. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1768,50 +1313,29 @@ spec: type: string type: array name: - description: Name is the name of the resource. The name - supports wildcard characters "*" (matches zero or - many characters) and "?" (at least one character). + description: Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). type: string namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -1823,51 +1347,31 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object type: object roles: - description: Roles is the list of namespaced role names - for the user. + description: Roles is the list of namespaced role names for the user. items: type: string type: array subjects: - description: Subjects is the list of subject names like - users, user groups, and service accounts. + description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind @@ -1879,25 +1383,18 @@ spec: description: Mutation is used to modify matching resources. properties: overlay: - description: Overlay specifies an overlay pattern to modify - resources. DEPRECATED. Use PatchStrategicMerge instead. - Scheduled for removal in release 1.5+. + description: Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+. x-kubernetes-preserve-unknown-fields: true patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. + description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patches: - description: Patches specifies a RFC 6902 JSON Patch to - modify resources. DEPRECATED. Use PatchesJSON6902 instead. - Scheduled for removal in release 1.5+. + description: Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+. items: description: 'Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902' properties: op: - description: Operation specifies operations supported - by JSON Patch. i.e:- add, replace and delete. + description: Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete. type: string path: description: Path specifies path of the resource. @@ -1910,27 +1407,19 @@ spec: type: array x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string type: object name: - description: Name is a label to identify the rule, It must be - unique within the policy. + description: Name is a label to identify the rule, It must be unique within the policy. type: string preconditions: - description: Conditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. + description: Conditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1941,9 +1430,7 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or set of - values. The values can be fixed set or can be variables - declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1951,23 +1438,18 @@ spec: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true deny: - description: Deny defines conditions to fail the validation - rule. + description: Deny defines conditions to fail the validation rule. properties: conditions: description: Specifies set of condition to deny. items: - description: Condition defines variable-based conditional - criteria for rule execution. + description: Condition defines variable-based conditional criteria for rule execution. properties: key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. + description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true operator: description: Operator is the operation to perform. @@ -1978,102 +1460,80 @@ spec: - NotIn type: string value: - description: Value is the conditional value, or - set of values. The values can be fixed set or - can be variables declared using using JMESPath. + description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object message: - description: Message specifies a custom message to be displayed - on failure. + description: Message specifies a custom message to be displayed on failure. type: string pattern: - description: Pattern specifies an overlay-style pattern - used to check resources. + description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true type: object type: object type: array validationFailureAction: - description: ValidationFailureAction controls if a validation policy - rule failure should disallow the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. The default value is "audit". + description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit". type: string type: object status: description: Status contains policy runtime information. properties: averageExecutionTime: - description: AvgExecutionTime is the average time taken to process - the policy rules on a resource. + description: AvgExecutionTime is the average time taken to process the policy rules on a resource. type: string resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this policy. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this policy. + description: ResourcesGeneratedCount is the total count of resources that were generated by this policy. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this policy. + description: ResourcesMutatedCount is the total count of resources that were mutated by this policy. type: integer ruleStatus: description: Rules provides per rule statistics items: - description: RuleStats provides statistics for an individual rule - within a policy. + description: RuleStats provides statistics for an individual rule within a policy. properties: appliedCount: - description: AppliedCount is the total number of times this - rule was applied. + description: AppliedCount is the total number of times this rule was applied. type: integer averageExecutionTime: - description: ExecutionTime is the average time taken to execute - this rule. + description: ExecutionTime is the average time taken to execute this rule. type: string failedCount: - description: FailedCount is the total count of policy error - results for this rule. + description: FailedCount is the total count of policy error results for this rule. type: integer resourcesBlockedCount: - description: ResourcesBlockedCount is the total count of admission - review requests that were blocked by this rule. + description: ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. type: integer resourcesGeneratedCount: - description: ResourcesGeneratedCount is the total count of resources - that were generated by this rule. + description: ResourcesGeneratedCount is the total count of resources that were generated by this rule. type: integer resourcesMutatedCount: - description: ResourcesMutatedCount is the total count of resources - that were mutated by this rule. + description: ResourcesMutatedCount is the total count of resources that were mutated by this rule. type: integer ruleName: description: Name is the rule name. type: string violationCount: - description: ViolationCount is the total count of policy failure - results for this rule. + description: ViolationCount is the total count of policy failure results for this rule. type: integer required: - ruleName type: object type: array rulesAppliedCount: - description: RulesAppliedCount is the total number of times this policy - was applied. + description: RulesAppliedCount is the total number of times this policy was applied. type: integer rulesFailedCount: - description: RulesFailedCount is the total count of policy execution - errors for this policy. + description: RulesFailedCount is the total count of policy execution errors for this policy. type: integer violationCount: - description: ViolationCount is the total count of policy failure results - for this policy. + description: ViolationCount is the total count of policy failure results for this policy. type: integer type: object required: @@ -2141,22 +1601,17 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2164,46 +1619,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2215,58 +1654,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2278,8 +1678,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2313,23 +1712,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2341,39 +1730,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2385,34 +1763,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -2474,26 +1844,20 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: ReportChangeRequest is the Schema for the ReportChangeRequests - API + description: ReportChangeRequest is the Schema for the ReportChangeRequests API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object results: description: PolicyReportResult provides result details items: - description: PolicyReportResult provides the result for an individual - policy + description: PolicyReportResult provides the result for an individual policy properties: category: description: Category indicates policy category @@ -2501,46 +1865,30 @@ spec: data: additionalProperties: type: string - description: Data provides additional information for the policy - rule + description: Data provides additional information for the policy rule type: object message: - description: Message is a short user friendly description of the - policy rule + description: Message is a short user friendly description of the policy rule type: string policy: description: Policy is the name of the policy type: string resourceSelector: - description: ResourceSelector is an optional selector for policy - results that apply to multiple resources. For example, a policy - result may apply to all pods that match a label. Either a Resource - or a ResourceSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: ResourceSelector is an optional selector for policy results that apply to multiple resources. For example, a policy result may apply to all pods that match a label. Either a Resource or a ResourceSelector can be specified. If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2552,58 +1900,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object resources: - description: Resources is an optional reference to the resource - checked by the policy and rule + description: Resources is an optional reference to the resource checked by the policy and rule items: - description: 'ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular restrictions - like, "must refer only to types A and B" or "UID not honored" - or "name must be restricted". Those cannot be well described - when embedded. 3. Inconsistent validation. Because the usages - are different, the validation rules are different by usage, - which makes it hard for users to predict what will happen. 4. - The fields are both imprecise and overly precise. Kind is not - a precise mapping to a URL. This can produce ambiguity during - interpretation and require a REST mapping. In most cases, the - dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don''t make - new APIs embed an underspecified API type they do not control. - Instead of using this type, create a locally provided and used - type that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - .' + description: 'ObjectReference contains enough information to let you inspect or modify the referred object. --- New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". Those cannot be well described when embedded. 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple and the version of the actual struct is irrelevant. 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type will affect numerous schemas. Don''t make new APIs embed an underspecified API type they do not control. Instead of using this type, create a locally provided and used type that is well-focused on your reference. For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .' properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2615,8 +1924,7 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' @@ -2650,23 +1958,13 @@ spec: type: object type: array scope: - description: Scope is an optional reference to the report scope (e.g. - a Deployment, Namespace, or Node) + description: Scope is an optional reference to the report scope (e.g. a Deployment, Namespace, or Node) properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' type: string kind: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' @@ -2678,39 +1976,28 @@ spec: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' type: string uid: description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' type: string type: object scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies - to. + description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: type: string type: array @@ -2722,34 +2009,26 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object summary: description: PolicyReportSummary provides a summary of results properties: error: - description: Error provides the count of policies that could not be - evaluated + description: Error provides the count of policies that could not be evaluated type: integer fail: - description: Fail provides the count of policies whose requirements - were not met + description: Fail provides the count of policies whose requirements were not met type: integer pass: - description: Pass provides the count of policies whose requirements - were met + description: Pass provides the count of policies whose requirements were met type: integer skip: - description: Skip indicates the count of policies that were not selected - for evaluation + description: Skip indicates the count of policies that were not selected for evaluation type: integer warn: - description: Warn provides the count of unscored policies whose requirements - were not met + description: Warn provides the count of unscored policies whose requirements were not met type: integer type: object type: object @@ -3075,7 +2354,7 @@ spec: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-svc - image: ghcr.io/kyverno/kyverno:v1.3.1 + image: ghcr.io/kyverno/kyverno:v1.3.2-rc1 imagePullPolicy: Always livenessProbe: failureThreshold: 4 @@ -3118,7 +2397,7 @@ spec: runAsNonRoot: true runAsUser: 1000 initContainers: - - image: ghcr.io/kyverno/kyvernopre:v1.3.1 + - image: ghcr.io/kyverno/kyvernopre:v1.3.2-rc1 imagePullPolicy: Always name: kyverno-pre securityContext: