From c0f4b1f55372a68ad475dbd7b441d3f24becb08a Mon Sep 17 00:00:00 2001 From: Thomas Vitale Date: Tue, 22 Aug 2023 15:05:20 +0200 Subject: [PATCH] Bump Kyverno to v1.10.3 --- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 2 +- Makefile | 6 +- README.md | 7 +- .../config/overlays/registry-credentials.yml | 3 - package/config/upstream/install.yaml | 7410 +++++++++++++---- package/vendir.lock.yml | 4 +- package/vendir.yml | 2 +- test/setup/kind/v1.24/kind-config.yml | 12 - test/setup/kind/v1.25/kind-config.yml | 8 +- test/setup/kind/v1.26/kind-config.yml | 8 +- test/setup/kind/v1.27/kind-config.yml | 8 + 12 files changed, 5940 insertions(+), 1532 deletions(-) delete mode 100644 test/setup/kind/v1.24/kind-config.yml create mode 100644 test/setup/kind/v1.27/kind-config.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4aed89f..677324b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,6 +18,6 @@ jobs: registry-server: ghcr.io registry-username: ${{ github.actor }} image: ${{ github.repository }} - version: 1.9.2+kadras.1 + version: 1.10.3 secrets: pull-request-token: ${{ secrets.GH_ORG_PAT }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f8cf6f0..f178585 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,7 +14,7 @@ jobs: name: Integration Tests strategy: matrix: - k8s_version: [v1.24, v1.25, v1.26] + k8s_version: [v1.25, v1.26, v1.27] permissions: contents: read uses: kadras-io/github-reusable-workflows/.github/workflows/carvel-package-test-integration.yml@main diff --git a/Makefile b/Makefile index 7804e0b..e5b70cc 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -K8S_VERSION=v1.26 +K8S_VERSION=v1.27 # Build package configuration build: package @@ -26,6 +26,10 @@ ytt: schema: ytt -f package/config/values-schema.yml --data-values-schema-inspect -o openapi-v3 > schema-openapi.yml +# Use kbld to resolve the OCI images referenced within the manifests +kbld: + rm -f package/.imgpkg/images.yml && mkdir -p package/.imgpkg && kbld --file package/config --imgpkg-lock-output package/.imgpkg/images.yml 1>> /dev/null + # Check the ytt-annotated Kubernetes configuration and its validation test-config: ytt -f package/config | kubeconform -ignore-missing-schemas -summary diff --git a/README.md b/README.md index 89a0e59..336e601 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ![Test Workflow](https://github.com/kadras-io/package-for-kyverno/actions/workflows/test.yml/badge.svg) ![Release Workflow](https://github.com/kadras-io/package-for-kyverno/actions/workflows/release.yml/badge.svg) -[![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v0.1/levels) +[![The SLSA Level 3 badge](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/spec/v1.0/levels) [![The Apache 2.0 license badge](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Follow us on Twitter](https://img.shields.io/static/v1?label=Twitter&message=Follow&color=1DA1F2)](https://twitter.com/kadrasIO) @@ -12,7 +12,7 @@ A Carvel package for [Kyverno](https://kyverno.io), a policy engine designed for ### Prerequisites -* Kubernetes 1.24+ +* Kubernetes 1.25+ * Carvel [`kctrl`](https://carvel.dev/kapp-controller/docs/latest/install/#installing-kapp-controller-cli-kctrl) CLI. * Carvel [kapp-controller](https://carvel.dev/kapp-controller) deployed in your Kubernetes cluster. You can install it with Carvel [`kapp`](https://carvel.dev/kapp/docs/latest/install) (recommended choice) or `kubectl`. @@ -26,10 +26,9 @@ A Carvel package for [Kyverno](https://kyverno.io), a policy engine designed for Add the Kadras [package repository](https://github.com/kadras-io/kadras-packages) to your Kubernetes cluster: ```shell - kubectl create namespace kadras-packages kctrl package repository add -r kadras-packages \ --url ghcr.io/kadras-io/kadras-packages \ - -n kadras-packages + -n kadras-packages --create-namespace ```
Installation without package repository diff --git a/package/config/overlays/registry-credentials.yml b/package/config/overlays/registry-credentials.yml index d9dc119..a6273cc 100644 --- a/package/config/overlays/registry-credentials.yml +++ b/package/config/overlays/registry-credentials.yml @@ -6,9 +6,7 @@ #! Use cases: private registries or air-gapped scenarios. #@ image_pull_secret_name = "canonical-registry-credentials" -#@ image_pull_secret_namespaces = ["tekton-pipelines", "tekton-pipelines-resolvers"] -#@ for namespace in image_pull_secret_namespaces: --- apiVersion: v1 kind: Secret @@ -20,7 +18,6 @@ metadata: type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: e30K -#@ end #@overlay/match by=overlay.subset({"kind":"Deployment"}), expects="2+" --- diff --git a/package/config/upstream/install.yaml b/package/config/upstream/install.yaml index c8dd026..95badb0 100644 --- a/package/config/upstream/install.yaml +++ b/package/config/upstream/install.yaml @@ -2,65 +2,204 @@ apiVersion: v1 kind: Namespace metadata: + name: kyverno labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: kyverno + app.kubernetes.io/version: v1.10.3 --- apiVersion: v1 kind: ServiceAccount metadata: - name: kyverno-cleanup-controller + name: kyverno-admission-controller + namespace: kyverno labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller + app.kubernetes.io/component: admission-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-background-controller namespace: kyverno + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 --- apiVersion: v1 kind: ServiceAccount metadata: - name: kyverno + name: kyverno-cleanup-controller + namespace: kyverno labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-cleanup-jobs namespace: kyverno + labels: + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 --- apiVersion: v1 -kind: ConfigMap +kind: ServiceAccount metadata: + name: kyverno-reports-controller + namespace: kyverno labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 +--- +apiVersion: v1 +kind: ConfigMap +metadata: name: kyverno namespace: kyverno + labels: + app.kubernetes.io/component: config + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 data: - # resource types to be skipped by kyverno policy engine - resourceFilters: "[*,kyverno,*][Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][Binding,*,*][ReplicaSet,*,*][AdmissionReport,*,*][ClusterAdmissionReport,*,*][BackgroundScanReport,*,*][ClusterBackgroundScanReport,*,*][ClusterRole,*,kyverno:*][ClusterRoleBinding,*,kyverno:*][ServiceAccount,kyverno,kyverno][ConfigMap,kyverno,kyverno][ConfigMap,kyverno,kyverno-metrics][Deployment,kyverno,kyverno][Job,kyverno,kyverno-hook-pre-delete][NetworkPolicy,kyverno,kyverno][PodDisruptionBudget,kyverno,kyverno][Role,kyverno,kyverno:*][RoleBinding,kyverno,kyverno:*][Secret,kyverno,kyverno-svc.kyverno.svc.*][Service,kyverno,kyverno-svc][Service,kyverno,kyverno-svc-metrics][ServiceMonitor,kyverno,kyverno-svc-service-monitor][Pod,kyverno,kyverno-test]" + enableDefaultRegistryMutation: "true" + defaultRegistry: "docker.io" + generateSuccessEvents: "false" + excludeGroups: "system:nodes" + resourceFilters: >- + [*/*,kyverno,*] + [Event,*,*] + [*/*,kube-system,*] + [*/*,kube-public,*] + [*/*,kube-node-lease,*] + [Node,*,*] + [Node/*,*,*] + [APIService,*,*] + [APIService/*,*,*] + [TokenReview,*,*] + [SubjectAccessReview,*,*] + [SelfSubjectAccessReview,*,*] + [Binding,*,*] + [Pod/binding,*,*] + [ReplicaSet,*,*] + [ReplicaSet/*,*,*] + [AdmissionReport,*,*] + [AdmissionReport/*,*,*] + [ClusterAdmissionReport,*,*] + [ClusterAdmissionReport/*,*,*] + [BackgroundScanReport,*,*] + [BackgroundScanReport/*,*,*] + [ClusterBackgroundScanReport,*,*] + [ClusterBackgroundScanReport/*,*,*] + [ClusterRole,*,kyverno:admission-controller] + [ClusterRole,*,kyverno:admission-controller:core] + [ClusterRole,*,kyverno:admission-controller:additional] + [ClusterRole,*,kyverno:background-controller] + [ClusterRole,*,kyverno:background-controller:core] + [ClusterRole,*,kyverno:background-controller:additional] + [ClusterRole,*,kyverno:cleanup-controller] + [ClusterRole,*,kyverno:cleanup-controller:core] + [ClusterRole,*,kyverno:cleanup-controller:additional] + [ClusterRole,*,kyverno:reports-controller] + [ClusterRole,*,kyverno:reports-controller:core] + [ClusterRole,*,kyverno:reports-controller:additional] + [ClusterRoleBinding,*,kyverno:admission-controller] + [ClusterRoleBinding,*,kyverno:background-controller] + [ClusterRoleBinding,*,kyverno:cleanup-controller] + [ClusterRoleBinding,*,kyverno:reports-controller] + [ServiceAccount,kyverno,kyverno-admission-controller] + [ServiceAccount/*,kyverno,kyverno-admission-controller] + [ServiceAccount,kyverno,kyverno-background-controller] + [ServiceAccount/*,kyverno,kyverno-background-controller] + [ServiceAccount,kyverno,kyverno-cleanup-controller] + [ServiceAccount/*,kyverno,kyverno-cleanup-controller] + [ServiceAccount,kyverno,kyverno-reports-controller] + [ServiceAccount/*,kyverno,kyverno-reports-controller] + [Role,kyverno,kyverno:admission-controller] + [Role,kyverno,kyverno:background-controller] + [Role,kyverno,kyverno:cleanup-controller] + [Role,kyverno,kyverno:reports-controller] + [RoleBinding,kyverno,kyverno:admission-controller] + [RoleBinding,kyverno,kyverno:background-controller] + [RoleBinding,kyverno,kyverno:cleanup-controller] + [RoleBinding,kyverno,kyverno:reports-controller] + [ConfigMap,kyverno,kyverno] + [ConfigMap,kyverno,kyverno-metrics] + [Deployment,kyverno,kyverno-admission-controller] + [Deployment/*,kyverno,kyverno-admission-controller] + [Deployment,kyverno,kyverno-background-controller] + [Deployment/*,kyverno,kyverno-background-controller] + [Deployment,kyverno,kyverno-cleanup-controller] + [Deployment/*,kyverno,kyverno-cleanup-controller] + [Deployment,kyverno,kyverno-reports-controller] + [Deployment/*,kyverno,kyverno-reports-controller] + [Pod,kyverno,kyverno-admission-controller-*] + [Pod/*,kyverno,kyverno-admission-controller-*] + [Pod,kyverno,kyverno-background-controller-*] + [Pod/*,kyverno,kyverno-background-controller-*] + [Pod,kyverno,kyverno-cleanup-controller-*] + [Pod/*,kyverno,kyverno-cleanup-controller-*] + [Pod,kyverno,kyverno-reports-controller-*] + [Pod/*,kyverno,kyverno-reports-controller-*] + [Job,kyverno,kyverno-hook-pre-delete] + [Job/*,kyverno,kyverno-hook-pre-delete] + [NetworkPolicy,kyverno,kyverno-admission-controller] + [NetworkPolicy/*,kyverno,kyverno-admission-controller] + [NetworkPolicy,kyverno,kyverno-background-controller] + [NetworkPolicy/*,kyverno,kyverno-background-controller] + [NetworkPolicy,kyverno,kyverno-cleanup-controller] + [NetworkPolicy/*,kyverno,kyverno-cleanup-controller] + [NetworkPolicy,kyverno,kyverno-reports-controller] + [NetworkPolicy/*,kyverno,kyverno-reports-controller] + [PodDisruptionBudget,kyverno,kyverno-admission-controller] + [PodDisruptionBudget/*,kyverno,kyverno-admission-controller] + [PodDisruptionBudget,kyverno,kyverno-background-controller] + [PodDisruptionBudget/*,kyverno,kyverno-background-controller] + [PodDisruptionBudget,kyverno,kyverno-cleanup-controller] + [PodDisruptionBudget/*,kyverno,kyverno-cleanup-controller] + [PodDisruptionBudget,kyverno,kyverno-reports-controller] + [PodDisruptionBudget/*,kyverno,kyverno-reports-controller] + [Service,kyverno,kyverno-svc] + [Service/*,kyverno,kyverno-svc] + [Service,kyverno,kyverno-svc-metrics] + [Service/*,kyverno,kyverno-svc-metrics] + [Service,kyverno,kyverno-background-controller-metrics] + [Service/*,kyverno,kyverno-background-controller-metrics] + [Service,kyverno,kyverno-cleanup-controller] + [Service/*,kyverno,kyverno-cleanup-controller] + [Service,kyverno,kyverno-cleanup-controller-metrics] + [Service/*,kyverno,kyverno-cleanup-controller-metrics] + [Service,kyverno,kyverno-reports-controller-metrics] + [Service/*,kyverno,kyverno-reports-controller-metrics] + [ServiceMonitor,kyverno,kyverno-admission-controller] + [ServiceMonitor,kyverno,kyverno-background-controller] + [ServiceMonitor,kyverno,kyverno-cleanup-controller] + [ServiceMonitor,kyverno,kyverno-reports-controller] + [Secret,kyverno,kyverno-svc.kyverno.svc.*] + [Secret,kyverno,kyverno-cleanup-controller.kyverno.svc.*] webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kyverno"]}]}}]' --- apiVersion: v1 kind: ConfigMap metadata: - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 name: kyverno-metrics namespace: kyverno + labels: + app.kubernetes.io/component: config + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 data: namespaces: "{\"exclude\":[],\"include\":[]}" --- @@ -68,13 +207,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -90,38 +228,30 @@ spec: scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - priority: 1 - type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date - jsonPath: .spec.summary.pass - name: Pass + name: PASS type: integer - jsonPath: .spec.summary.fail - name: Fail + name: FAIL type: integer - jsonPath: .spec.summary.warn - name: Warn + name: WARN type: integer - jsonPath: .spec.summary.error - name: Error + name: ERROR type: integer - jsonPath: .spec.summary.skip - name: Skip + name: SKIP type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] + name: GVR + priority: 1 + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] + name: REF priority: 1 type: string - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] @@ -170,10 +300,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string required: - apiVersion @@ -414,13 +544,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -720,13 +849,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -783,6 +911,9 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, @@ -823,6 +954,9 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, @@ -963,6 +1097,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -1166,6 +1315,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -1376,6 +1540,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -1579,6 +1758,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -1769,13 +1963,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -1791,38 +1984,30 @@ spec: scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .metadata.ownerReferences[0].apiVersion - name: ApiVersion - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].kind - name: Kind - priority: 1 - type: string - - jsonPath: .metadata.ownerReferences[0].name - name: Subject - priority: 1 - type: string + - jsonPath: .metadata.creationTimestamp + name: AGE + type: date - jsonPath: .spec.summary.pass - name: Pass + name: PASS type: integer - jsonPath: .spec.summary.fail - name: Fail + name: FAIL type: integer - jsonPath: .spec.summary.warn - name: Warn + name: WARN type: integer - jsonPath: .spec.summary.error - name: Error + name: ERROR type: integer - jsonPath: .spec.summary.skip - name: Skip + name: SKIP type: integer - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash'] - name: Hash + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.gvr'] + name: GVR + priority: 1 + type: string + - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.name'] + name: REF priority: 1 type: string - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate'] @@ -1872,10 +2057,10 @@ spec: description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' type: string uid: - description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids' + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' type: string required: - apiVersion @@ -2116,13 +2301,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -2422,13 +2606,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -2485,6 +2668,9 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, @@ -2525,6 +2711,9 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, @@ -2665,6 +2854,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -2868,6 +3072,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -3078,6 +3297,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -3281,6 +3515,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -3471,13 +3720,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -3503,9 +3751,9 @@ spec: name: Failure Policy priority: 1 type: string - - jsonPath: .status.ready + - jsonPath: .status.conditions[?(@.type == "Ready")].status name: Ready - type: boolean + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -3525,6 +3773,9 @@ spec: name: Verifyimages priority: 1 type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string name: v1 schema: openAPIV3Schema: @@ -3574,11 +3825,14 @@ spec: - Ignore - Fail type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. + description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: description: MutateExistingOnPolicyUpdate controls if a mutateExisting @@ -3602,28 +3856,70 @@ spec: must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For example a JMESPath + returned from the server. For example a JMESPath of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + response for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the - `kubectl get --raw` command. + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -3795,6 +4091,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -4013,6 +4324,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -4219,6 +4545,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -4426,6 +4767,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. @@ -4576,6 +4926,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -4794,6 +5159,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -5000,6 +5380,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -5106,9 +5501,9 @@ spec: sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified logic. properties: context: @@ -5120,30 +5515,74 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -5210,6 +5649,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -5241,6 +5689,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -5290,6 +5742,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -5342,70 +5798,12 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for mutating + existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. @@ -5415,30 +5813,278 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: - jmesPath: - description: JMESPath is an optional JSON + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' type: string required: - - urlPath + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied + for the validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -5551,6 +6197,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -5600,6 +6250,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -5947,7 +6601,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. + v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -5956,6 +6610,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -6225,6 +6880,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -6276,6 +6935,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -6564,6 +7227,14 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -6571,6 +7242,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array schemaValidation: @@ -6606,6 +7279,54 @@ spec: - Audit - Enforce type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: items: type: string @@ -6645,28 +7366,71 @@ spec: APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -6844,6 +7608,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -7069,6 +7849,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -7288,6 +8084,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard @@ -7508,6 +8319,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify @@ -7661,6 +8481,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -7886,6 +8722,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -8105,6 +8957,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard @@ -8217,10 +9084,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: context: description: Context defines variables and data @@ -8231,31 +9098,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" + returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -8327,6 +9241,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -8360,6 +9283,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -8411,6 +9338,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -8464,10 +9395,155 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for + mutating existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array kind: description: Kind specifies resource kind. type: string @@ -8477,6 +9553,16 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true type: object type: array type: object @@ -8520,10 +9606,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: anyPattern: description: AnyPattern specifies list of validation @@ -8539,31 +9625,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" + returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -8682,6 +9815,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -8733,6 +9870,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -9092,7 +10233,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. + v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -9101,6 +10242,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -9390,6 +10532,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -9442,6 +10588,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -9739,6 +10889,14 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -9746,6 +10904,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array type: object @@ -9865,9 +11025,9 @@ spec: name: Failure Policy priority: 1 type: string - - jsonPath: .status.ready + - jsonPath: .status.conditions[?(@.type == "Ready")].status name: Ready - type: boolean + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -9887,6 +11047,9 @@ spec: name: Verifyimages priority: 1 type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string name: v2beta1 schema: openAPIV3Schema: @@ -9935,11 +11098,14 @@ spec: - Ignore - Fail type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. + description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: description: MutateExistingOnPolicyUpdate controls if a mutateExisting @@ -9963,28 +11129,70 @@ spec: must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For example a JMESPath + returned from the server. For example a JMESPath of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + response for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the - `kubectl get --raw` command. + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -10156,6 +11364,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -10374,6 +11597,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -10589,6 +11827,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. @@ -10739,6 +11986,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -10957,6 +12219,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -11071,9 +12348,9 @@ spec: sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified logic. properties: context: @@ -11085,30 +12362,74 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -11175,6 +12496,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -11206,6 +12536,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -11255,6 +12589,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -11307,69 +12645,218 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for mutating + existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan - type: string - value: + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional + rule execution. This is useful for finer control of when + an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need + to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation + to perform. Valid operators are: Equals, NotEquals, + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan + type: string + value: description: Value is the conditional value, or set of values. The values can be fixed set or can be variables declared using JMESPath. @@ -11388,6 +12875,9 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, @@ -11448,6 +12938,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: @@ -11491,6 +12985,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: @@ -11529,10 +13027,10 @@ spec: sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. properties: anyPattern: description: AnyPattern specifies list of validation @@ -11548,30 +13046,74 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -11684,6 +13226,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -11733,6 +13279,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -12080,7 +13630,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. + v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12089,6 +13639,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -12343,6 +13894,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -12394,6 +13949,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -12657,6 +14216,14 @@ spec: i.e. have matched passed a signature or attestation check. type: boolean + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -12664,6 +14231,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array schemaValidation: @@ -12699,6 +14268,54 @@ spec: - Audit - Enforce type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: items: type: string @@ -12738,28 +14355,71 @@ spec: APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -12937,6 +14597,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -13162,6 +14838,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -13381,6 +15073,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard @@ -13601,6 +15308,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify @@ -13754,6 +15470,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -13979,9 +15711,25 @@ spec: items: type: string type: array - selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. + Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label @@ -14198,6 +15946,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard @@ -14310,10 +16073,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: context: description: Context defines variables and data @@ -14324,31 +16087,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" + returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -14420,6 +16230,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -14453,6 +16272,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -14504,6 +16327,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -14557,10 +16384,155 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for + mutating existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array kind: description: Kind specifies resource kind. type: string @@ -14570,6 +16542,16 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true type: object type: array type: object @@ -14613,10 +16595,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: anyPattern: description: AnyPattern specifies list of validation @@ -14632,31 +16614,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" + returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -14775,6 +16804,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -14826,6 +16859,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -15185,7 +17222,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. + v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -15194,6 +17231,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -15483,6 +17521,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -15535,6 +17577,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -15832,6 +17878,14 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -15839,6 +17893,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array type: object @@ -15952,48 +18008,68 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: generaterequests.kyverno.io + app.kubernetes.io/version: v1.10.3 + name: policies.kyverno.io spec: group: kyverno.io names: - kind: GenerateRequest - listKind: GenerateRequestList - plural: generaterequests + categories: + - kyverno + kind: Policy + listKind: PolicyList + plural: policies shortNames: - - gr - singular: generaterequest + - pol + singular: policy scope: Namespaced versions: - additionalPrinterColumns: - - jsonPath: .spec.policy - name: Policy - type: string - - jsonPath: .spec.resource.kind - name: ResourceKind - type: string - - jsonPath: .spec.resource.name - name: ResourceName + - jsonPath: .spec.background + name: Background + type: boolean + - jsonPath: .spec.validationFailureAction + name: Validate Action type: string - - jsonPath: .spec.resource.namespace - name: ResourceNamespace + - jsonPath: .spec.failurePolicy + name: Failure Policy + priority: 1 type: string - - jsonPath: .status.state - name: status + - jsonPath: .status.conditions[?(@.type == "Ready")].status + name: Ready type: string - jsonPath: .metadata.creationTimestamp name: Age type: date + - jsonPath: .status.rulecount.validate + name: Validate + priority: 1 + type: integer + - jsonPath: .status.rulecount.mutate + name: Mutate + priority: 1 + type: integer + - jsonPath: .status.rulecount.generate + name: Generate + priority: 1 + type: integer + - jsonPath: .status.rulecount.verifyimages + name: Verifyimages + priority: 1 + type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string name: v1 schema: openAPIV3Schema: - description: GenerateRequest is a request to process generate rule. + description: 'Policy declares validation, mutation, and generation behaviors + for matching resources. See: https://kyverno.io/docs/writing-policies/ for + more information.' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation @@ -16008,214 +18084,7 @@ spec: metadata: type: object spec: - description: Spec is the information to identify the generate request. - properties: - context: - description: Context ... - properties: - admissionRequestInfo: - description: AdmissionRequestInfoObject stores the admission request - and operation details - properties: - admissionRequest: - type: string - operation: - description: Operation is the type of resource operation being - checked for admission control - type: string - type: object - userInfo: - description: RequestInfo contains permission info carried in an - admission request. - properties: - clusterRoles: - description: ClusterRoles is a list of possible clusterRoles - send the request. - items: - type: string - nullable: true - type: array - roles: - description: Roles is a list of possible role send the request. - items: - type: string - nullable: true - type: array - userInfo: - description: UserInfo is the userInfo carried in the admission - request. - properties: - extra: - additionalProperties: - description: ExtraValue masks the value so protobuf - can generate - items: - type: string - type: array - description: Any additional information provided by the - authenticator. - type: object - groups: - description: The names of groups this user is a part of. - items: - type: string - type: array - uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. - type: string - username: - description: The name that uniquely identifies this user - among all active users. - type: string - type: object - type: object - type: object - policy: - description: Specifies the name of the policy. - type: string - resource: - description: ResourceSpec is the information to identify the generate - request. - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - required: - - context - - policy - - resource - type: object - status: - description: Status contains statistics related to generate request. - properties: - generatedResources: - description: This will track the resources that are generated by the - generate Policy. Will be used during clean up resources. - items: - properties: - apiVersion: - description: APIVersion specifies resource apiVersion. - type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - message: - description: Specifies request status message. - type: string - state: - description: State represents state of the generate request. - type: string - required: - - state - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - name: policies.kyverno.io -spec: - group: kyverno.io - names: - categories: - - kyverno - kind: Policy - listKind: PolicyList - plural: policies - shortNames: - - pol - singular: policy - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .spec.background - name: Background - type: boolean - - jsonPath: .spec.validationFailureAction - name: Validate Action - type: string - - jsonPath: .spec.failurePolicy - name: Failure Policy - priority: 1 - type: string - - jsonPath: .status.ready - name: Ready - type: boolean - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .status.rulecount.validate - name: Validate - priority: 1 - type: integer - - jsonPath: .status.rulecount.mutate - name: Mutate - priority: 1 - type: integer - - jsonPath: .status.rulecount.generate - name: Generate - priority: 1 - type: integer - - jsonPath: .status.rulecount.verifyimages - name: Verifyimages - priority: 1 - type: integer - name: v1 - schema: - openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines policy behaviors and contains one or more rules. + description: Spec defines policy behaviors and contains one or more rules. properties: applyRules: description: ApplyRules controls how rules in a policy are applied. @@ -16245,11 +18114,14 @@ spec: - Ignore - Fail type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. + description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: description: MutateExistingOnPolicyUpdate controls if a mutateExisting @@ -16273,28 +18145,70 @@ spec: must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For example a JMESPath + returned from the server. For example a JMESPath of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + response for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the - `kubectl get --raw` command. + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -16466,6 +18380,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -16684,6 +18613,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -16890,6 +18834,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -17097,6 +19056,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. @@ -17247,6 +19215,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -17465,6 +19448,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -17671,6 +19669,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -17777,9 +19790,9 @@ spec: sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified logic. properties: context: @@ -17791,30 +19804,74 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -17881,6 +19938,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -17912,6 +19978,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -17961,6 +20031,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -18013,68 +20087,214 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for mutating + existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' - x-kubernetes-preserve-unknown-fields: true - validate: - description: Validation is used to validate matching resources. - properties: - anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. - x-kubernetes-preserve-unknown-fields: true - deny: - description: Deny defines conditions used to pass or fail - a validation rule. - properties: - conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' - x-kubernetes-preserve-unknown-fields: true - type: object - foreach: - description: ForEach applies validate rules to a list of - sub-elements by creating a context for each entry in the - list and looping over it to apply the specified logic. - items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. - properties: - anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + validate: + description: Validation is used to validate matching resources. + properties: + anyPattern: + description: AnyPattern specifies list of validation patterns. + At least one of the patterns must be satisfied for the + validation rule to succeed. + x-kubernetes-preserve-unknown-fields: true + deny: + description: Deny defines conditions used to pass or fail + a validation rule. + properties: + conditions: + description: 'Multiple conditions can be declared under + an `any` or `all` statement. A direct list of conditions + (without `any` or `all` statements) is also supported + for backwards compatibility but will be deprecated + in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + x-kubernetes-preserve-unknown-fields: true + type: object + foreach: + description: ForEach applies validate rules to a list of + sub-elements by creating a context for each entry in the + list and looping over it to apply the specified logic. + items: + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. + properties: + anyPattern: + description: AnyPattern specifies list of validation + patterns. At least one of the patterns must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: @@ -18086,30 +20306,74 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -18222,6 +20486,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -18271,6 +20539,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -18618,7 +20890,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. + v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -18627,6 +20899,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -18896,6 +21169,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -18947,6 +21224,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -19235,6 +21516,14 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -19242,6 +21531,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array schemaValidation: @@ -19277,6 +21568,54 @@ spec: - Audit - Enforce type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: items: type: string @@ -19317,28 +21656,71 @@ spec: APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -19516,6 +21898,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -19741,6 +22139,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -19960,6 +22374,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard @@ -20180,6 +22609,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify @@ -20333,6 +22771,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -20558,6 +23012,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -20777,6 +23247,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard @@ -20889,10 +23374,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: context: description: Context defines variables and data @@ -20903,31 +23388,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: - jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" - applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -20999,6 +23531,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -21032,6 +23573,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -21083,6 +23628,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -21136,10 +23685,155 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for + mutating existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array kind: description: Kind specifies resource kind. type: string @@ -21149,6 +23843,16 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true type: object type: array type: object @@ -21192,10 +23896,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: anyPattern: description: AnyPattern specifies list of validation @@ -21211,31 +23915,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" + returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -21354,6 +24105,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -21405,6 +24160,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -21764,7 +24523,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. + v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -21773,6 +24532,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -22062,6 +24822,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -22114,6 +24878,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -22411,6 +25179,14 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -22418,6 +25194,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array type: object @@ -22537,9 +25315,9 @@ spec: name: Failure Policy priority: 1 type: string - - jsonPath: .status.ready + - jsonPath: .status.conditions[?(@.type == "Ready")].status name: Ready - type: boolean + type: string - jsonPath: .metadata.creationTimestamp name: Age type: date @@ -22559,6 +25337,9 @@ spec: name: Verifyimages priority: 1 type: integer + - jsonPath: .status.conditions[?(@.type == "Ready")].message + name: MESSAGE + type: string name: v2beta1 schema: openAPIV3Schema: @@ -22608,11 +25389,14 @@ spec: - Ignore - Fail type: string + generateExisting: + description: GenerateExisting controls whether to trigger generate + rule in existing resources If is set to "true" generate rule will + be triggered and applied to existing matched resources. Defaults + to "false" if not specified. + type: boolean generateExistingOnPolicyUpdate: - description: GenerateExistingOnPolicyUpdate controls whether to trigger - generate rule in existing resources If is set to "true" generate - rule will be triggered and applied to existing matched resources. - Defaults to "false" if not specified. + description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: description: MutateExistingOnPolicyUpdate controls if a mutateExisting @@ -22636,28 +25420,70 @@ spec: must be provided. properties: apiCall: - description: APICall defines an HTTP request to the Kubernetes - API server. The JSON data retrieved is stored in the - context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data returned + is stored in the context with the name for the context + entry. properties: + data: + description: Data specifies the POST data sent to + the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier for + the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For example a JMESPath + returned from the server. For example a JMESPath of "items | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + response for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a JSON web + service + properties: + caBundle: + description: CABundle is a PEM encoded CA bundle + which will be used to validate the server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used in - the HTTP GET request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + the HTTP GET or POST request to the Kubernetes API + server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the - `kubectl get --raw` command. + `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -22829,6 +25655,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -23047,6 +25888,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -23262,6 +26118,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when the + extracted image begins with a prefix like ''docker://''. + The ''trim_prefix'' function may be used to trim the + prefix: trim_prefix(@, ''docker://''). Note - Image + digest mutation may not be used when applying a JMESPAth + to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify an image. @@ -23412,6 +26277,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -23630,6 +26510,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one + of the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the @@ -23744,9 +26639,9 @@ spec: sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified + description: ForEachMutation applies mutation rules to + a list of sub-elements by creating a context for each + entry in the list and looping over it to apply the specified logic. properties: context: @@ -23758,30 +26653,74 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -23848,6 +26787,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order on + the list. Can be Ascending to iterate from first + to last element or Descending to iterate in from + last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -23879,6 +26827,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -23928,6 +26880,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -23980,67 +26936,216 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for mutating + existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string - kind: - description: Kind specifies resource kind. - type: string - name: - description: Name specifies the resource name. - type: string - namespace: - description: Namespace specifies resource namespace. - type: string - type: object - type: array - type: object - name: - description: Name is a label to identify the rule, It must be - unique within the policy. - maxLength: 63 - type: string - preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' - properties: - all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. - items: - properties: - key: - description: Key is the context entry (using JMESPath) - for conditional rule evaluation. - x-kubernetes-preserve-unknown-fields: true - operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' - enum: - - Equals - - NotEquals - - AnyIn - - AllIn - - AnyNotIn - - AllNotIn - - GreaterThanOrEquals - - GreaterThan - - LessThanOrEquals - - LessThan - - DurationGreaterThanOrEquals - - DurationGreaterThan - - DurationLessThanOrEquals - - DurationLessThan + context: + description: Context defines variables and data sources + that can be used during rule execution. + items: + description: ContextEntry adds variables and data + sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. + properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path to + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" + or "/apis/apps/v1/deployments"). The + format required is the same format used + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch image + details. + properties: + jmesPath: + description: JMESPath is an optional JSON + Match Expression that can be used to transform + the ImageData struct returned as a result + of processing the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary JMESPath + context variable that can be defined inline. + properties: + default: + description: Default is an optional arbitrary + JSON object that the variable may take + if the JMESPath expression evaluates to + nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional JMESPath + Expression that can be used to transform + the variable. + type: string + value: + description: Value is any arbitrary JSON + object representable in YAML or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + kind: + description: Kind specifies resource kind. + type: string + name: + description: Name specifies the resource name. + type: string + namespace: + description: Namespace specifies resource namespace. + type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but will + be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true + type: object + type: array + type: object + name: + description: Name is a label to identify the rule, It must be + unique within the policy. + maxLength: 63 + type: string + preconditions: + description: 'Preconditions are used to determine if a policy + rule should be applied by evaluating a set of conditions. + The declaration can contain nested `any` or `all` statements. + A direct list of conditions (without `any` or `all` statements + is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/' + properties: + all: + description: AllConditions enable variable-based conditional + rule execution. This is useful for finer control of when + an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need + to pass. + items: + properties: + key: + description: Key is the context entry (using JMESPath) + for conditional rule evaluation. + x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string + operator: + description: 'Operator is the conditional operation + to perform. Valid operators are: Equals, NotEquals, + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, + DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + enum: + - Equals + - NotEquals + - AnyIn + - AllIn + - AnyNotIn + - AllNotIn + - GreaterThanOrEquals + - GreaterThan + - LessThanOrEquals + - LessThan + - DurationGreaterThanOrEquals + - DurationGreaterThan + - DurationLessThanOrEquals + - DurationLessThan type: string value: description: Value is the conditional value, or set @@ -24061,6 +27166,9 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: Equals, NotEquals, @@ -24121,6 +27229,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: @@ -24164,6 +27276,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators are: @@ -24202,10 +27318,10 @@ spec: sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic. items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context for + each entry in the list and looping over it to apply + the specified logic. properties: anyPattern: description: AnyPattern specifies list of validation @@ -24221,30 +27337,74 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON data - retrieved is stored in the context. + description: APICall is an HTTP request to the + Kubernetes API server, or other JSON web service. + The data returned is stored in the context + with the name for the context entry. properties: + data: + description: Data specifies the POST data + sent to the server. + items: + description: RequestData contains the + HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform - the JSON response returned from the API - server. For example a JMESPath of "items - | length(@)" applied to the API server - response to the URLPath "/apis/apps/v1/deployments" + the JSON response returned from the server. + For example a JMESPath of "items | length(@)" + applied to the API server response for + the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call to a + JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to validate + the server certificate. + type: string + url: + description: URL is the JSON web service + URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to - be used in the HTTP GET request to the - Kubernetes API server (e.g. "/api/v1/namespaces" + be used in the HTTP GET or POST request + to the Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See + https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -24357,6 +27517,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -24406,6 +27570,10 @@ spec: description: Key is the context entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional display + message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -24753,7 +27921,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - latest. Defaults to latest. + v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -24762,6 +27930,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -25016,6 +28185,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -25067,6 +28240,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -25330,6 +28507,14 @@ spec: i.e. have matched passed a signature or attestation check. type: boolean + type: + description: Type specifies the method of signature validation. + The allowed options are Cosign and Notary. By default + Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have a @@ -25337,6 +28522,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array schemaValidation: @@ -25372,6 +28559,54 @@ spec: - Audit - Enforce type: string + namespaceSelector: + description: A label selector is a label query over a set of + resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. A + null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: items: type: string @@ -25411,28 +28646,71 @@ spec: APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request to the - Kubernetes API server. The JSON data retrieved is - stored in the context. + description: APICall is an HTTP request to the Kubernetes + API server, or other JSON web service. The data + returned is stored in the context with the name + for the context entry. properties: + data: + description: Data specifies the POST data sent + to the server. + items: + description: RequestData contains the HTTP POST + data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the - JSON response returned from the API server. - For example a JMESPath of "items | length(@)" - applied to the API server response to the URLPath - "/apis/apps/v1/deployments" will return the - total count of deployments across all namespaces. + JSON response returned from the server. For + example a JMESPath of "items | length(@)" applied + to the API server response for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments across + all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request type (GET + or POST). + enum: + - GET + - POST type: string + service: + description: Service is an API call to a JSON + web service + properties: + caBundle: + description: CABundle is a PEM encoded CA + bundle which will be used to validate the + server certificate. + type: string + url: + description: URL is the JSON web service URL. + A typical form is `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path to be used - in the HTTP GET request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + in the HTTP GET or POST request to the Kubernetes + API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used - by the `kubectl get --raw` command. + by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap reference. @@ -25610,6 +28888,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -25835,6 +29129,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -26054,6 +29364,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard @@ -26274,6 +29599,15 @@ spec: additionalProperties: items: properties: + jmesPath: + description: 'JMESPath is an optional JMESPath expression + to apply to the image value. This is useful when + the extracted image begins with a prefix like + ''docker://''. The ''trim_prefix'' function may + be used to trim the prefix: trim_prefix(@, ''docker://''). + Note - Image digest mutation may not be used when + applying a JMESPAth to an image.' + type: string key: description: Key is an optional name of the field within 'path' that will be used to uniquely identify @@ -26427,6 +29761,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -26652,6 +30002,22 @@ spec: items: type: string type: array + operations: + description: Operations can contain values + ["CREATE, "UPDATE", "CONNECT", "DELETE"], + which are used to match a specific action. + items: + description: AdmissionOperation can have + one of the values CREATE, UPDATE, CONNECT, + DELETE, which are used to match a specific + action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support @@ -26871,7 +30237,22 @@ spec: items: type: string type: array - selector: + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used + to match a specific action. + items: + description: AdmissionOperation can have one of + the values CREATE, UPDATE, CONNECT, DELETE, + which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) @@ -26983,10 +30364,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies mutation rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachMutation applies mutation rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: context: description: Context defines variables and data @@ -26997,31 +30378,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" + returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -27093,6 +30521,15 @@ spec: that results in one or more elements to which the validation logic is applied. type: string + order: + description: Order defines the iteration order + on the list. Can be Ascending to iterate from + first to last element or Descending to iterate + in from last to first element. + enum: + - Ascending + - Descending + type: string patchStrategicMerge: description: PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ @@ -27126,6 +30563,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -27177,6 +30618,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -27230,10 +30675,155 @@ spec: description: Targets defines the target resources to be mutated. items: + description: TargetResourceSpec defines targets for + mutating existing resources. properties: apiVersion: description: APIVersion specifies resource apiVersion. type: string + context: + description: Context defines variables and data + sources that can be used during rule execution. + items: + description: ContextEntry adds variables and + data sources to a rule Context. Either a ConfigMap + reference or a APILookup must be provided. + properties: + apiCall: + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. + properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the JSON response + returned from the server. For example + a JMESPath of "items | length(@)" + applied to the API server response + for the URLPath "/apis/apps/v1/deployments" + will return the total count of deployments + across all namespaces. + type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object + urlPath: + description: URLPath is the URL path + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format + used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. + type: string + type: object + configMap: + description: ConfigMap is the ConfigMap + reference. + properties: + name: + description: Name is the ConfigMap name. + type: string + namespace: + description: Namespace is the ConfigMap + namespace. + type: string + required: + - name + type: object + imageRegistry: + description: ImageRegistry defines requests + to an OCI/Docker V2 registry to fetch + image details. + properties: + jmesPath: + description: JMESPath is an optional + JSON Match Expression that can be + used to transform the ImageData struct + returned as a result of processing + the image reference. + type: string + reference: + description: 'Reference is image reference + to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest' + type: string + required: + - reference + type: object + name: + description: Name is the variable name. + type: string + variable: + description: Variable defines an arbitrary + JMESPath context variable that can be + defined inline. + properties: + default: + description: Default is an optional + arbitrary JSON object that the variable + may take if the JMESPath expression + evaluates to nil + x-kubernetes-preserve-unknown-fields: true + jmesPath: + description: JMESPath is an optional + JMESPath Expression that can be used + to transform the variable. + type: string + value: + description: Value is any arbitrary + JSON object representable in YAML + or JSON form. + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array kind: description: Kind specifies resource kind. type: string @@ -27243,6 +30833,16 @@ spec: namespace: description: Namespace specifies resource namespace. type: string + preconditions: + description: 'Preconditions are used to determine + if a policy rule should be applied by evaluating + a set of conditions. The declaration can contain + nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements + is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/' + x-kubernetes-preserve-unknown-fields: true type: object type: array type: object @@ -27286,10 +30886,10 @@ spec: in the list and looping over it to apply the specified logic. items: - description: ForEach applies validate rules to a list - of sub-elements by creating a context for each entry - in the list and looping over it to apply the specified - logic. + description: ForEachValidation applies validate rules + to a list of sub-elements by creating a context + for each entry in the list and looping over it to + apply the specified logic. properties: anyPattern: description: AnyPattern specifies list of validation @@ -27305,31 +30905,78 @@ spec: reference or a APILookup must be provided. properties: apiCall: - description: APICall defines an HTTP request - to the Kubernetes API server. The JSON - data retrieved is stored in the context. + description: APICall is an HTTP request + to the Kubernetes API server, or other + JSON web service. The data returned is + stored in the context with the name for + the context entry. properties: + data: + description: Data specifies the POST + data sent to the server. + items: + description: RequestData contains + the HTTP POST data + properties: + key: + description: Key is a unique identifier + for the data value + type: string + value: + description: Value is the data + value + x-kubernetes-preserve-unknown-fields: true + required: + - key + - value + type: object + type: array jmesPath: description: JMESPath is an optional JSON Match Expression that can be used to transform the JSON response - returned from the API server. For - example a JMESPath of "items | length(@)" + returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response - to the URLPath "/apis/apps/v1/deployments" + for the URLPath "/apis/apps/v1/deployments" will return the total count of deployments across all namespaces. type: string + method: + default: GET + description: Method is the HTTP request + type (GET or POST). + enum: + - GET + - POST + type: string + service: + description: Service is an API call + to a JSON web service + properties: + caBundle: + description: CABundle is a PEM encoded + CA bundle which will be used to + validate the server certificate. + type: string + url: + description: URL is the JSON web + service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. + type: string + required: + - url + type: object urlPath: description: URLPath is the URL path - to be used in the HTTP GET request - to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + to be used in the HTTP GET or POST + request to the Kubernetes API server + (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + for details. type: string - required: - - urlPath type: object configMap: description: ConfigMap is the ConfigMap @@ -27448,6 +31095,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -27499,6 +31150,10 @@ spec: (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -27858,7 +31513,7 @@ spec: description: Version defines the Pod Security Standard versions that Kubernetes supports. Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, latest. Defaults to latest. + v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -27867,6 +31522,7 @@ spec: - v1.23 - v1.24 - v1.25 + - v1.26 - latest type: string type: object @@ -28156,6 +31812,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -28208,6 +31868,10 @@ spec: entry (using JMESPath) for conditional rule evaluation. x-kubernetes-preserve-unknown-fields: true + message: + description: Message is an optional + display message + type: string operator: description: 'Operator is the conditional operation to perform. Valid operators @@ -28505,6 +32169,14 @@ spec: signing, for example an email address Deprecated. Use KeylessAttestor instead. type: string + type: + description: Type specifies the method of signature + validation. The allowed options are Cosign and Notary. + By default Cosign is used if a type is not specified. + enum: + - Cosign + - Notary + type: string verifyDigest: default: true description: VerifyDigest validates that images have @@ -28512,6 +32184,8 @@ spec: type: boolean type: object type: array + required: + - name type: object type: array type: object @@ -28625,13 +32299,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -28667,6 +32340,13 @@ spec: spec: description: Spec declares policy exception behaviors. properties: + background: + description: Background controls if exceptions are applied to existing + policies during a background scan. Optional. Default value is "true". + The value must be set to "false" if the policy rule uses variables + that are only available in the admission review request (e.g. user + name). + type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded items: @@ -28796,6 +32476,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -28999,6 +32694,21 @@ spec: items: type: string type: array + operations: + description: Operations can contain values ["CREATE, + "UPDATE", "CONNECT", "DELETE"], which are used to + match a specific action. + items: + description: AdmissionOperation can have one of the + values CREATE, UPDATE, CONNECT, DELETE, which are + used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array selector: description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters @@ -29113,13 +32823,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -29175,7 +32884,7 @@ spec: metadata: type: object spec: - description: Spec is the information to identify the update request. + description: ResourceSpec is the information to identify the trigger resource. properties: context: description: Context ... @@ -29430,6 +33139,10 @@ spec: type: object type: object type: object + deleteDownstream: + description: DeleteDownstream represents whether the downstream needs + to be deleted. + type: boolean policy: description: Specifies the name of the policy. type: string @@ -29440,8 +33153,8 @@ spec: - generate type: string resource: - description: ResourceSpec is the information to identify the update - request. + description: ResourceSpec is the information to identify the trigger + resource. properties: apiVersion: description: APIVersion specifies resource apiVersion. @@ -29456,10 +33169,19 @@ spec: description: Namespace specifies resource namespace. type: string type: object + rule: + description: Rule is the associate rule name of the current UR. + type: string + synchronize: + description: Synchronize represents the sync behavior of the corresponding + rule Optional. Defaults to "false" if not specified. + type: boolean required: - context + - deleteDownstream - policy - resource + - rule type: object status: description: Status contains statistics related to update request. @@ -29506,13 +33228,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -29874,13 +33595,12 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 + controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: crds + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -30240,46 +33960,82 @@ spec: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin-policies + name: kyverno:admission-controller labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - policies - - clusterpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + app.kubernetes.io/version: v1.10.3 +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin-policyreport + name: kyverno:admission-controller:core labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - watch + - list + - apiGroups: + - kyverno.io + resources: + - policies + - policies/status + - clusterpolicies + - clusterpolicies/status + - updaterequests + - updaterequests/status + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection - apiGroups: - wgpolicyk8s.io resources: - policyreports + - policyreports/status - clusterpolicyreports + - clusterpolicyreports/status verbs: - create - delete @@ -30288,112 +34044,147 @@ rules: - patch - update - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - update + - patch + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin-reports + name: kyverno:background-controller labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + app.kubernetes.io/version: v1.10.3 +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin-generaterequest + name: kyverno:background-controller:core labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 rules: -- apiGroups: - - kyverno.io - resources: - - generaterequests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:admin-updaterequest - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -rules: -- apiGroups: - - kyverno.io - resources: - - updaterequests - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - updaterequests + - updaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - update + - patch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + - networkpolicies + verbs: + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps + - secrets + - resourcequotas + - limitranges + verbs: + - create + - update + - patch + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - update + - patch + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:cleanup-controller labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 aggregationRule: clusterRoleSelectors: - matchLabels: app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:cleanup-controller:core labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 rules: - apiGroups: - admissionregistration.k8s.io @@ -30442,380 +34233,709 @@ rules: - update - watch - apiGroups: - - "" + - '' + - events.k8s.io resources: - events verbs: - create - patch + - update + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno + name: kyverno-cleanup-jobs labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -aggregationRule: - clusterRoleSelectors: - - matchLabels: - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/version: v1.10.3 +rules: + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + verbs: + - list + - deletecollection + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:userinfo + name: kyverno:rbac:admin:policies labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - clusterroles - - rolebindings - - clusterrolebindings - verbs: - - watch - - list + - apiGroups: + - kyverno.io + resources: + - cleanuppolicies + - clustercleanuppolicies + - policies + - clusterpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:policies + name: kyverno:rbac:view:policies labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-view: "true" rules: -- apiGroups: - - kyverno.io - resources: - - policies - - policies/status - - clusterpolicies - - clusterpolicies/status - - generaterequests - - generaterequests/status - - updaterequests - - updaterequests/status - - admissionreports - - clusteradmissionreports - - backgroundscanreports - - clusterbackgroundscanreports - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection -- apiGroups: - - wgpolicyk8s.io - resources: - - policyreports - - policyreports/status - - clusterpolicyreports - - clusterpolicyreports/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection + - apiGroups: + - kyverno.io + resources: + - cleanuppolicies + - clustercleanuppolicies + - policies + - clusterpolicies + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:view + name: kyverno:rbac:admin:policyreports labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:generate + name: kyverno:rbac:view:policyreports labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-view: "true" rules: - apiGroups: - - networking.k8s.io + - wgpolicyk8s.io resources: - - ingresses - - ingressclasses - - networkpolicies + - policyreports + - clusterpolicyreports verbs: - - create - - update - - patch - - delete + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:rbac:admin:reports + labels: + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: - apiGroups: - - '' + - kyverno.io resources: - - namespaces - - configmaps - - secrets - - resourcequotas - - limitranges + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports verbs: - create - - update - - patch - delete - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - update + - get + - list - patch - - delete + - update + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:events + name: kyverno:rbac:view:reports labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-view: "true" rules: -- apiGroups: - - '' - - events.k8s.io - resources: - - events - verbs: - - create - - update - - patch - - delete + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:webhook + name: kyverno:rbac:admin:updaterequests labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: rbac + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - deletecollection + - apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - create + - delete + - get + - list + - patch + - update + - watch --- -kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: kyverno:cleanup-controller + name: kyverno:rbac:view:updaterequests labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller + app.kubernetes.io/component: rbac app.kubernetes.io/instance: kyverno -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:cleanup-controller -subjects: -- kind: ServiceAccount - name: kyverno-cleanup-controller - namespace: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - get + - list + - watch --- -kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - name: kyverno + name: kyverno:reports-controller labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno -subjects: -- kind: ServiceAccount - name: kyverno - namespace: kyverno + app.kubernetes.io/version: v1.10.3 +aggregationRule: + clusterRoleSelectors: + - matchLabels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: kyverno:cleanup-controller + name: kyverno:reports-controller:core labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller + app.kubernetes.io/component: reports-controller app.kubernetes.io/instance: kyverno - namespace: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - list - - watch - - create - - update -- apiGroups: - - '' - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - policyreports/status + - clusterpolicyreports + - clusterpolicyreports/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - deletecollection + - apiGroups: + - '' + - events.k8s.io + resources: + - events + verbs: + - create + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:admission-controller + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:admission-controller +subjects: + - kind: ServiceAccount + name: kyverno-admission-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kyverno:leaderelection + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:background-controller +subjects: +- kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:cleanup-controller + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:cleanup-controller +subjects: +- kind: ServiceAccount + name: kyverno-cleanup-controller + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno-cleanup-jobs + labels: + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno-cleanup-jobs +subjects: + - kind: ServiceAccount + name: kyverno-cleanup-jobs + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:reports-controller + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:reports-controller +subjects: +- kind: ServiceAccount + name: kyverno-reports-controller + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno:admission-controller namespace: kyverno labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - delete - - get - - patch - - update -- apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - patch - - update - - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update + # Allow update of Kyverno deployment annotations + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch --- -kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: - name: kyverno:cleanup-controller + name: kyverno:background-controller labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + namespace: kyverno +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno:cleanup-controller + labels: app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 namespace: kyverno +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update + - watch + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kyverno:reports-controller + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 + namespace: kyverno +rules: + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - kyverno + - kyverno-metrics + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - patch + - update +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:admission-controller + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: kyverno:cleanup-controller + name: kyverno:admission-controller subjects: -- kind: ServiceAccount - name: kyverno-cleanup-controller + - kind: ServiceAccount + name: kyverno-admission-controller + namespace: kyverno +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:background-controller + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 namespace: kyverno +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:background-controller +subjects: + - kind: ServiceAccount + name: kyverno-background-controller + namespace: kyverno --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: kyverno:leaderelection + name: kyverno:cleanup-controller + labels: + app.kubernetes.io/component: cleanup-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 namespace: kyverno +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kyverno:cleanup-controller +subjects: + - kind: ServiceAccount + name: kyverno-cleanup-controller + namespace: kyverno +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:reports-controller labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 + namespace: kyverno roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: kyverno:leaderelection + name: kyverno:reports-controller subjects: -- kind: ServiceAccount - name: kyverno + - kind: ServiceAccount + name: kyverno-reports-controller + namespace: kyverno +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-svc namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +spec: + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + selector: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP --- apiVersion: v1 kind: Service metadata: - name: kyverno-cleanup-controller + name: kyverno-svc-metrics namespace: kyverno labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-background-controller-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-cleanup-controller + namespace: kyverno + labels: app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 spec: ports: - port: 443 @@ -30824,8 +34944,8 @@ spec: name: https selector: app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno type: ClusterIP --- apiVersion: v1 @@ -30834,11 +34954,10 @@ metadata: name: kyverno-cleanup-controller-metrics namespace: kyverno labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 spec: ports: - port: 8000 @@ -30847,66 +34966,323 @@ spec: name: metrics-port selector: app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: kyverno-reports-controller-metrics + namespace: kyverno + labels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +spec: + ports: + - port: 8000 + targetPort: 8000 + protocol: TCP + name: metrics-port + selector: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno type: ClusterIP --- -apiVersion: v1 -kind: Service +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kyverno-admission-controller + namespace: kyverno + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +spec: + replicas: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: admission-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - admission-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-admission-controller + initContainers: + - name: kyverno-pre + image: "ghcr.io/kyverno/kyvernopre:v1.10.3" + imagePullPolicy: IfNotPresent + args: + - --loggingFormat=text + - --v=2 + resources: + limits: + cpu: 100m + memory: 256Mi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + env: + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_DEPLOYMENT + value: kyverno-admission-controller + - name: KYVERNO_SVC + value: kyverno-svc + containers: + - name: kyverno + image: "ghcr.io/kyverno/kyverno:v1.10.3" + imagePullPolicy: IfNotPresent + args: + - --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller + - --servicePort=443 + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --admissionReports=true + - --autoUpdateWebhooks=true + - --enableConfigMapCaching=true + - --enableDeferredLoading=true + - --dumpPayload=false + - --forceFailurePolicyIgnore=false + - --loggingFormat=text + - --v=2 + - --enablePolicyException=false + - --protectManagedResources=false + - --allowInsecureRegistry=false + - --registryCredentialHelpers=default,google,amazon,azure,github + resources: + limits: + memory: 384Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics-port + protocol: TCP + env: + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-admission-controller + - name: KYVERNO_SVC + value: kyverno-svc + - name: TUF_ROOT + value: /.sigstore + - name: KYVERNO_DEPLOYMENT + value: kyverno-admission-controller + startupProbe: + failureThreshold: 20 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 2 + periodSeconds: 6 + livenessProbe: + failureThreshold: 2 + httpGet: + path: /health/liveness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 15 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /health/readiness + port: 9443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /.sigstore + name: sigstore + volumes: + - name: sigstore + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment metadata: - name: kyverno-svc - labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + name: kyverno-background-controller namespace: kyverno -spec: - ports: - - port: 443 - targetPort: https - protocol: TCP - name: https - selector: - app: kyverno - app.kubernetes.io/name: kyverno - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - name: kyverno-svc-metrics labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - namespace: kyverno + app.kubernetes.io/version: v1.10.3 spec: - ports: - - port: 8000 - targetPort: 8000 - protocol: TCP - name: metrics-port + replicas: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 40% + type: RollingUpdate selector: - app: kyverno - app.kubernetes.io/name: kyverno - type: ClusterIP + matchLabels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + template: + metadata: + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 + spec: + dnsPolicy: ClusterFirst + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - background-controller + topologyKey: kubernetes.io/hostname + weight: 1 + serviceAccountName: kyverno-background-controller + containers: + - name: controller + image: "ghcr.io/kyverno/background-controller:v1.10.3" + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP + args: + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --enableConfigMapCaching=true + - --enableDeferredLoading=true + - --loggingFormat=text + - --v=2 + - --enablePolicyException=false + env: + - name: INIT_CONFIG + value: kyverno + - name: METRICS_CONFIG + value: kyverno-metrics + - name: KYVERNO_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault --- apiVersion: apps/v1 kind: Deployment metadata: name: kyverno-cleanup-controller + namespace: kyverno labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno - namespace: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 spec: + replicas: strategy: rollingUpdate: maxSurge: 1 @@ -30915,16 +35291,15 @@ spec: selector: matchLabels: app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno template: metadata: labels: - app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 app.kubernetes.io/component: cleanup-controller - app.kubernetes.io/name: kyverno-cleanup-controller app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 spec: dnsPolicy: ClusterFirst affinity: @@ -30942,7 +35317,7 @@ spec: serviceAccountName: kyverno-cleanup-controller containers: - name: controller - image: "ghcr.io/kyverno/cleanup-controller:v1.9.2" + image: "ghcr.io/kyverno/cleanup-controller:v1.10.3" ports: - containerPort: 9443 name: https @@ -30951,31 +35326,38 @@ spec: name: metrics protocol: TCP args: - - --loggingFormat=text + - --servicePort=443 - --disableMetrics=false - --otelConfig=prometheus - --metricsPort=8000 + - --enableDeferredLoading=true + - --dumpPayload=false + - --loggingFormat=text + - --v=2 env: + - name: INIT_CONFIG + value: kyverno - name: METRICS_CONFIG value: kyverno-metrics - name: KYVERNO_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name + - name: KYVERNO_SERVICEACCOUNT_NAME + value: kyverno-cleanup-controller - name: KYVERNO_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KYVERNO_SVC value: kyverno-cleanup-controller - resources: + resources: limits: memory: 128Mi requests: cpu: 100m memory: 64Mi - securityContext: - + securityContext: allowPrivilegeEscalation: false capabilities: drop: @@ -31017,99 +35399,97 @@ spec: apiVersion: apps/v1 kind: Deployment metadata: - name: kyverno + name: kyverno-reports-controller + namespace: kyverno labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 - namespace: kyverno + app.kubernetes.io/version: v1.10.3 spec: - selector: - matchLabels: - app: kyverno - app.kubernetes.io/name: kyverno + replicas: strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 40% type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno template: metadata: labels: - app.kubernetes.io/component: kyverno - app: kyverno - app.kubernetes.io/name: kyverno + app.kubernetes.io/component: reports-controller + app.kubernetes.io/instance: kyverno app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: v1.9.2 + app.kubernetes.io/version: v1.10.3 spec: + dnsPolicy: ClusterFirst affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchExpressions: - - key: app.kubernetes.io/name + - key: app.kubernetes.io/component operator: In values: - - 'kyverno' + - reports-controller topologyKey: kubernetes.io/hostname weight: 1 - serviceAccountName: kyverno - dnsPolicy: ClusterFirst - initContainers: - - name: kyverno-pre - image: "ghcr.io/kyverno/kyvernopre:v1.9.2" - imagePullPolicy: IfNotPresent + serviceAccountName: kyverno-reports-controller + containers: + - name: controller + image: "ghcr.io/kyverno/reports-controller:v1.10.3" + ports: + - containerPort: 9443 + name: https + protocol: TCP + - containerPort: 8000 + name: metrics + protocol: TCP args: + - --disableMetrics=false + - --otelConfig=prometheus + - --metricsPort=8000 + - --admissionReports=true + - --policyReports=true + - --backgroundScan=true + - --backgroundScanWorkers=2 + - --backgroundScanInterval=1h + - --skipResourceFilters=true + - --enableConfigMapCaching=true + - --enableDeferredLoading=true - --loggingFormat=text - resources: - limits: - cpu: 100m - memory: 256Mi - requests: - cpu: 10m - memory: 64Mi - securityContext: - - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + - --v=2 + - --enablePolicyException=false + - --reportsChunkSize=1000 + - --allowInsecureRegistry=false + - --registryCredentialHelpers=default,google,amazon,azure,github env: + - name: INIT_CONFIG + value: kyverno - name: METRICS_CONFIG value: kyverno-metrics - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - name: KYVERNO_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - - name: KYVERNO_DEPLOYMENT - value: kyverno - containers: - - name: kyverno - image: "ghcr.io/kyverno/kyverno:v1.9.2" - imagePullPolicy: IfNotPresent - args: - - --loggingFormat=text - - --exceptionNamespace=kyverno - resources: + - name: KYVERNO_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: TUF_ROOT + value: /.sigstore + resources: limits: - memory: 384Mi + memory: 128Mi requests: cpu: 100m - memory: 128Mi - securityContext: - + memory: 64Mi + securityContext: allowPrivilegeEscalation: false capabilities: drop: @@ -31119,65 +35499,105 @@ spec: runAsNonRoot: true seccompProfile: type: RuntimeDefault - ports: - - containerPort: 9443 - name: https - protocol: TCP - - containerPort: 8000 - name: metrics-port - protocol: TCP - env: - - name: INIT_CONFIG - value: kyverno - - name: METRICS_CONFIG - value: kyverno-metrics - - name: KYVERNO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KYVERNO_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: KYVERNO_SERVICEACCOUNT_NAME - value: kyverno - - name: KYVERNO_SVC - value: kyverno-svc - - name: TUF_ROOT - value: /.sigstore - - name: KYVERNO_DEPLOYMENT - value: kyverno - startupProbe: - failureThreshold: 20 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 2 - periodSeconds: 6 - livenessProbe: - failureThreshold: 2 - httpGet: - path: /health/liveness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 15 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - failureThreshold: 6 - httpGet: - path: /health/readiness - port: 9443 - scheme: HTTPS - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 volumeMounts: - mountPath: /.sigstore name: sigstore volumes: - name: sigstore emptyDir: {} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kyverno-cleanup-admission-reports + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +spec: + schedule: "*/10 * * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + spec: + serviceAccountName: kyverno-cleanup-jobs + containers: + - name: cleanup + image: "bitnami/kubectl:1.26.4" + imagePullPolicy: + command: + - /bin/sh + - -c + - | + COUNT=$(kubectl get admissionreports.kyverno.io -A | wc -l) + if [ "$COUNT" -gt 10000 ]; then + echo "too many reports found ($COUNT), cleaning up..." + kubectl delete admissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' + else + echo "($COUNT) reports found, no clean up needed" + fi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kyverno-cleanup-cluster-admission-reports + namespace: kyverno + labels: + app.kubernetes.io/component: cleanup + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno + app.kubernetes.io/version: v1.10.3 +spec: + schedule: "*/10 * * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + metadata: + spec: + serviceAccountName: kyverno-cleanup-jobs + containers: + - name: cleanup + image: "bitnami/kubectl:1.26.4" + imagePullPolicy: + command: + - /bin/sh + - -c + - | + COUNT=$(kubectl get clusteradmissionreports.kyverno.io -A | wc -l) + if [ "$COUNT" -gt 10000 ]; then + echo "too many reports found ($COUNT), cleaning up..." + kubectl delete clusteradmissionreports.kyverno.io -A -l='!audit.kyverno.io/report.aggregate' + else + echo "($COUNT) reports found, no clean up needed" + fi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + restartPolicy: OnFailure diff --git a/package/vendir.lock.yml b/package/vendir.lock.yml index eb0fa25..a3d7901 100644 --- a/package/vendir.lock.yml +++ b/package/vendir.lock.yml @@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - githubRelease: - tag: v1.9.2 - url: https://api.github.com/repos/kyverno/kyverno/releases/96431508 + tag: v1.10.3 + url: https://api.github.com/repos/kyverno/kyverno/releases/116017932 path: . path: config/upstream kind: LockConfig diff --git a/package/vendir.yml b/package/vendir.yml index 9d35d59..7c49c19 100755 --- a/package/vendir.yml +++ b/package/vendir.yml @@ -4,7 +4,7 @@ directories: - githubRelease: disableAutoChecksumValidation: true slug: kyverno/kyverno - tag: v1.9.2 + tag: v1.10.3 includePaths: - install.yaml path: . diff --git a/test/setup/kind/v1.24/kind-config.yml b/test/setup/kind/v1.24/kind-config.yml deleted file mode 100644 index d0fc7a3..0000000 --- a/test/setup/kind/v1.24/kind-config.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -kind: Cluster -apiVersion: kind.x-k8s.io/v1alpha4 -nodes: -- role: control-plane - image: kindest/node:v1.24.12 -- role: worker - image: kindest/node:v1.24.12 -- role: worker - image: kindest/node:v1.24.12 -- role: worker - image: kindest/node:v1.24.12 diff --git a/test/setup/kind/v1.25/kind-config.yml b/test/setup/kind/v1.25/kind-config.yml index ffbd5a2..61248f9 100644 --- a/test/setup/kind/v1.25/kind-config.yml +++ b/test/setup/kind/v1.25/kind-config.yml @@ -3,10 +3,6 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - image: kindest/node:v1.25.8 + image: kindest/node:v1.25.11 - role: worker - image: kindest/node:v1.25.8 -- role: worker - image: kindest/node:v1.25.8 -- role: worker - image: kindest/node:v1.25.8 + image: kindest/node:v1.25.11 diff --git a/test/setup/kind/v1.26/kind-config.yml b/test/setup/kind/v1.26/kind-config.yml index e5fb54a..10ec400 100644 --- a/test/setup/kind/v1.26/kind-config.yml +++ b/test/setup/kind/v1.26/kind-config.yml @@ -3,10 +3,6 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - image: kindest/node:v1.26.3 + image: kindest/node:v1.26.6 - role: worker - image: kindest/node:v1.26.3 -- role: worker - image: kindest/node:v1.26.3 -- role: worker - image: kindest/node:v1.26.3 + image: kindest/node:v1.26.6 diff --git a/test/setup/kind/v1.27/kind-config.yml b/test/setup/kind/v1.27/kind-config.yml new file mode 100644 index 0000000..4cc978d --- /dev/null +++ b/test/setup/kind/v1.27/kind-config.yml @@ -0,0 +1,8 @@ +--- +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +nodes: +- role: control-plane + image: kindest/node:v1.27.3 +- role: worker + image: kindest/node:v1.27.3