From 425e1eb4fc7d9424a006798d15755cbe1b536fec Mon Sep 17 00:00:00 2001 From: ShutingZhao Date: Mon, 16 Sep 2024 14:57:05 +0800 Subject: [PATCH] release v1.12.6-rc.1 Signed-off-by: ShutingZhao --- charts/kyverno-policies/Chart.yaml | 4 +- charts/kyverno-policies/README.md | 2 +- charts/kyverno/Chart.yaml | 8 +- charts/kyverno/README.md | 6 +- charts/kyverno/charts/crds/Chart.yaml | 2 +- charts/kyverno/charts/crds/README.md | 2 +- charts/kyverno/charts/grafana/Chart.yaml | 2 +- charts/kyverno/charts/grafana/README.md | 2 +- config/install-latest-testing.yaml | 961 ++++++++--------------- 9 files changed, 328 insertions(+), 661 deletions(-) diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 2aaedbdb40e8..cebf2b900f01 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno-policies -version: 3.2.5 -appVersion: v1.12.5 +version: 3.2.6-rc.2 +appVersion: v1.12.6-rc.1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 33257d99ea1e..818ca2c58603 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -2,7 +2,7 @@ Kubernetes Pod Security Standards implemented as Kyverno policies -![Version: 3.2.5](https://img.shields.io/badge/Version-3.2.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.12.5](https://img.shields.io/badge/AppVersion-v1.12.5-informational?style=flat-square) +![Version: 3.2.6-rc.2](https://img.shields.io/badge/Version-3.2.6--rc.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.12.6-rc.1](https://img.shields.io/badge/AppVersion-v1.12.6--rc.1-informational?style=flat-square) ## About diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 5fbcf1d4db00..8f41c77ba8cd 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno -version: 3.2.6 -appVersion: v1.12.5 +version: 3.2.7-rc.1 +appVersion: v1.12.6-rc.1 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Native Policy Management keywords: @@ -39,8 +39,8 @@ annotations: description: Make admission reports breaker threshold configurable dependencies: - name: grafana - version: 3.2.6 + version: 3.2.7-rc.1 condition: grafana.enabled - name: crds - version: 3.2.6 + version: 3.2.7-rc.1 condition: crds.install diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index e7bd1d3d3379..20d819981cc5 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -2,7 +2,7 @@ Kubernetes Native Policy Management -![Version: 3.2.6](https://img.shields.io/badge/Version-3.2.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.12.5](https://img.shields.io/badge/AppVersion-v1.12.5-informational?style=flat-square) +![Version: 3.2.7-rc.1](https://img.shields.io/badge/Version-3.2.7--rc.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.12.6-rc.1](https://img.shields.io/badge/AppVersion-v1.12.6--rc.1-informational?style=flat-square) ## About @@ -927,8 +927,8 @@ Kubernetes: `>=1.25.0-0` | Repository | Name | Version | |------------|------|---------| -| | crds | 3.2.6 | -| | grafana | 3.2.6 | +| | crds | 3.2.7-rc.1 | +| | grafana | 3.2.7-rc.1 | ## Maintainers diff --git a/charts/kyverno/charts/crds/Chart.yaml b/charts/kyverno/charts/crds/Chart.yaml index 77a3b9cec3c2..6feaefcce4cc 100644 --- a/charts/kyverno/charts/crds/Chart.yaml +++ b/charts/kyverno/charts/crds/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 name: crds -version: 3.2.6 +version: 3.2.7-rc.1 diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md index c90e6432febc..c62edcaccb68 100644 --- a/charts/kyverno/charts/crds/README.md +++ b/charts/kyverno/charts/crds/README.md @@ -1,6 +1,6 @@ # crds -![Version: 3.2.6](https://img.shields.io/badge/Version-3.2.6-informational?style=flat-square) +![Version: 3.2.7-rc.1](https://img.shields.io/badge/Version-3.2.7--rc.1-informational?style=flat-square) ## Values diff --git a/charts/kyverno/charts/grafana/Chart.yaml b/charts/kyverno/charts/grafana/Chart.yaml index 3f57d1bca029..0ccb3bff5f51 100644 --- a/charts/kyverno/charts/grafana/Chart.yaml +++ b/charts/kyverno/charts/grafana/Chart.yaml @@ -1,3 +1,3 @@ apiVersion: v2 name: grafana -version: 3.2.6 +version: 3.2.7-rc.1 diff --git a/charts/kyverno/charts/grafana/README.md b/charts/kyverno/charts/grafana/README.md index 1e2badfa6e11..249e99499aa9 100644 --- a/charts/kyverno/charts/grafana/README.md +++ b/charts/kyverno/charts/grafana/README.md @@ -1,6 +1,6 @@ # grafana -![Version: 3.2.6](https://img.shields.io/badge/Version-3.2.6-informational?style=flat-square) +![Version: 3.2.7-rc.1](https://img.shields.io/badge/Version-3.2.7--rc.1-informational?style=flat-square) ## Values diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 3928319894b1..90d761f8d9b0 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -215,10 +215,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: admissionreports.kyverno.io spec: group: kyverno.io @@ -403,24 +403,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -434,7 +418,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -723,24 +706,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -754,7 +721,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -882,10 +848,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -1031,24 +997,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -1062,7 +1012,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -1310,24 +1259,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -1341,7 +1274,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -1467,10 +1399,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -1713,6 +1645,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -1786,6 +1720,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -2626,16 +2562,8 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -2676,12 +2604,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2932,6 +2855,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -3005,6 +2930,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -3845,16 +3772,8 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -3895,12 +3814,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -4151,6 +4065,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -4224,6 +4140,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -5064,16 +4982,8 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -5114,12 +5024,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5151,10 +5056,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -5340,24 +5245,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -5371,7 +5260,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -5661,24 +5549,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -5692,7 +5564,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -5820,10 +5691,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -5969,24 +5840,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -6000,7 +5855,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -6248,24 +6102,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -6279,7 +6117,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -6405,10 +6242,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -6651,6 +6488,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -6724,6 +6563,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -7564,16 +7405,8 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -7614,12 +7447,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -7870,6 +7698,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -7943,6 +7773,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -8783,16 +8615,8 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -8833,12 +8657,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9089,6 +8908,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -9162,6 +8983,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -10002,16 +9825,8 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -10052,12 +9867,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -10089,10 +9899,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -10242,7 +10052,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -10252,7 +10061,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -10265,7 +10073,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -10378,6 +10185,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -10452,6 +10261,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -11960,6 +11771,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -12035,6 +11848,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -12300,6 +12115,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -12375,6 +12192,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -12446,19 +12265,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -12472,13 +12288,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -12498,7 +12312,7 @@ spec: which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- + as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for @@ -12518,10 +12332,10 @@ spec: of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when @@ -12541,7 +12355,7 @@ spec: {\"Expression\": \"object.x__dash__prop > 0\"}\n \ - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type + > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of @@ -12617,7 +12431,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -12627,15 +12440,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -12650,7 +12460,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -12659,11 +12468,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -12871,6 +12678,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -12946,6 +12755,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -14300,7 +14111,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -14310,7 +14120,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -14323,7 +14132,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -14368,7 +14176,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -14378,7 +14185,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -14391,7 +14197,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -14504,6 +14309,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -14579,6 +14386,8 @@ spec: representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -16102,6 +15911,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -16179,6 +15990,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -16450,6 +16263,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -16527,6 +16342,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -16598,19 +16415,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -16624,13 +16438,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -16651,12 +16463,12 @@ spec: expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- @@ -16673,10 +16485,10 @@ spec: https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules @@ -16697,8 +16509,8 @@ spec: named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': @@ -16774,7 +16586,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -16784,15 +16595,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -16807,7 +16615,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -16816,11 +16623,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -17032,6 +16837,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -17109,6 +16916,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -18379,16 +18188,8 @@ spec: type: object conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -18429,12 +18230,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18632,7 +18428,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -18642,7 +18437,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -18655,7 +18449,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -18768,6 +18561,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -18842,6 +18637,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -19954,6 +19751,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -20029,6 +19828,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -20294,6 +20095,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -20369,6 +20172,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -20527,19 +20332,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -20553,13 +20355,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -20579,7 +20379,7 @@ spec: which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- + as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for @@ -20599,10 +20399,10 @@ spec: of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when @@ -20622,7 +20422,7 @@ spec: {\"Expression\": \"object.x__dash__prop > 0\"}\n \ - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type + > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of @@ -20698,7 +20498,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -20708,15 +20507,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -20731,7 +20527,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -20740,11 +20535,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -21041,6 +20834,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -21116,6 +20911,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -22444,7 +22241,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -22454,7 +22250,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -22467,7 +22262,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -22512,7 +22306,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -22522,7 +22315,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -22535,7 +22327,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -22648,6 +22439,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -22723,6 +22516,8 @@ spec: representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -24246,6 +24041,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -24323,6 +24120,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -24594,6 +24393,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -24671,6 +24472,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -24742,19 +24545,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -24768,13 +24568,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -24795,12 +24593,12 @@ spec: expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- @@ -24817,10 +24615,10 @@ spec: https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules @@ -24841,8 +24639,8 @@ spec: named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': @@ -24918,7 +24716,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -24928,15 +24725,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -24951,7 +24745,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -24960,11 +24753,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -25176,6 +24967,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -25253,6 +25046,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -26523,16 +26318,8 @@ spec: type: object conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -26573,12 +26360,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -26651,10 +26433,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: globalcontextentries.kyverno.io spec: group: kyverno.io @@ -26799,6 +26581,10 @@ spec: version: description: Version defines the version of the resource. type: string + required: + - group + - resource + - version type: object type: object status: @@ -26806,16 +26592,8 @@ spec: properties: conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -26856,12 +26634,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -26900,10 +26673,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: policies.kyverno.io spec: group: kyverno.io @@ -27054,7 +26827,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -27064,7 +26836,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -27077,7 +26848,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -27190,6 +26960,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -27264,6 +27036,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -28772,6 +28546,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -28847,6 +28623,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -29112,6 +28890,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -29187,6 +28967,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -29258,19 +29040,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -29284,13 +29063,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -29310,7 +29087,7 @@ spec: which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- + as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for @@ -29330,10 +29107,10 @@ spec: of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when @@ -29353,7 +29130,7 @@ spec: {\"Expression\": \"object.x__dash__prop > 0\"}\n \ - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type + > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of @@ -29429,7 +29206,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -29439,15 +29215,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -29462,7 +29235,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -29471,11 +29243,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -29683,6 +29453,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -29758,6 +29530,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -31112,7 +30886,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -31122,7 +30895,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -31135,7 +30907,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -31181,7 +30952,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -31191,7 +30961,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -31204,7 +30973,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -31317,6 +31085,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -31392,6 +31162,8 @@ spec: representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -32915,6 +32687,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -32992,6 +32766,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -33263,6 +33039,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -33340,6 +33118,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -33411,19 +33191,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -33437,13 +33214,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -33464,12 +33239,12 @@ spec: expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- @@ -33486,10 +33261,10 @@ spec: https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules @@ -33510,8 +33285,8 @@ spec: named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': @@ -33587,7 +33362,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -33597,15 +33371,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -33620,7 +33391,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -33629,11 +33399,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -33845,6 +33613,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -33922,6 +33692,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -35192,16 +34964,8 @@ spec: type: object conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -35242,12 +35006,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -35446,7 +35205,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -35456,7 +35214,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -35469,7 +35226,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -35582,6 +35338,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -35656,6 +35414,8 @@ spec: in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -36768,6 +36528,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -36843,6 +36605,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -37108,6 +36872,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -37183,6 +36949,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -37341,19 +37109,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -37367,13 +37132,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -37393,7 +37156,7 @@ spec: which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables - as well as some other useful variables:\n\n\n- + as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for @@ -37413,10 +37176,10 @@ spec: of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when @@ -37436,7 +37199,7 @@ spec: {\"Expression\": \"object.x__dash__prop > 0\"}\n \ - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list type + > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of @@ -37512,7 +37275,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -37522,15 +37284,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -37545,7 +37304,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -37554,11 +37312,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -37855,6 +37611,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -37930,6 +37688,8 @@ spec: object representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -39258,7 +39018,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -39268,7 +39027,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -39281,7 +39039,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -39326,7 +39083,6 @@ spec: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: - 'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). @@ -39336,7 +39092,6 @@ spec: request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - Required. type: string name: @@ -39349,7 +39104,6 @@ spec: '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') - Required. type: string required: @@ -39462,6 +39216,8 @@ spec: name: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -39537,6 +39293,8 @@ spec: representable in YAML or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array exclude: @@ -41060,6 +40818,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -41137,6 +40897,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array foreach: @@ -41408,6 +41170,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -41485,6 +41249,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array kind: @@ -41556,19 +41322,16 @@ spec: a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. - The key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: "{ValidatingAdmissionPolicy name}/{key}". - If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded. - Required. type: string valueExpression: @@ -41582,13 +41345,11 @@ spec: If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb. - If multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list. - Required. type: string required: @@ -41609,12 +41370,12 @@ spec: expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables:\n\n\n- 'object' - The object - from the incoming request. The value is - null for DELETE requests.\n- 'oldObject' - - The existing object. The value is null - for CREATE requests.\n- 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + variables:\n\n- 'object' - The object from + the incoming request. The value is null + for DELETE requests.\n- 'oldObject' - The + existing object. The value is null for CREATE + requests.\n- 'request' - Attributes of the + API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- @@ -41631,10 +41392,10 @@ spec: https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the\n request resource.\n\n\nThe `apiVersion`, + with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. - No other metadata properties are accessible.\n\n\nOnly + No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules @@ -41655,8 +41416,8 @@ spec: named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"}\n\n\nEquality on arrays with list - type of 'set' or 'map' ignores element order, + > 0\"}\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': @@ -41732,7 +41493,6 @@ spec: description: |- `name` is the name of the resource being referenced. - `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. type: string @@ -41742,15 +41502,12 @@ spec: the search for params to a specific namespace. Applies to both `name` and `selector` fields. - A per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty. - - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error. - - If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped @@ -41765,7 +41522,6 @@ spec: If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy. - Allowed values are `Allow` or `Deny` Default to `Deny` type: string @@ -41774,11 +41530,9 @@ spec: selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind. - If multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together. - One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. properties: @@ -41990,6 +41744,8 @@ spec: description: Name of the global context entry type: string + required: + - name type: object imageRegistry: description: |- @@ -42067,6 +41823,8 @@ spec: or JSON form. x-kubernetes-preserve-unknown-fields: true type: object + required: + - globalReference type: object type: array deny: @@ -43337,16 +43095,8 @@ spec: type: object conditions: items: - description: "Condition contains details for one aspect of the current - state of this API Resource.\n---\nThis struct is intended for - direct use as an array at the field path .status.conditions. For - example,\n\n\n\ttype FooStatus struct{\n\t // Represents the - observations of a foo's current state.\n\t // Known .status.conditions.type - are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // - +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t - \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" - patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t - \ // other fields\n\t}" + description: Condition contains details for one aspect of the current + state of this API Resource. properties: lastTransitionTime: description: |- @@ -43387,12 +43137,7 @@ spec: - Unknown type: string type: - description: |- - type of condition in CamelCase or in foo.example.com/CamelCase. - --- - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be - useful (see .node.status.conditions), the ability to deconflict is important. - The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -43465,10 +43210,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -45352,10 +45097,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: updaterequests.kyverno.io spec: group: kyverno.io @@ -45489,14 +45234,12 @@ spec: RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). - See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: @@ -45515,14 +45258,12 @@ spec: RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). - See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: @@ -45869,14 +45610,12 @@ spec: RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). - See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: @@ -45895,14 +45634,12 @@ spec: RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. - For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, an API request to apps/v1beta1 deployments would be converted and sent to the webhook with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). - See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: @@ -46139,10 +45876,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: clusterephemeralreports.reports.kyverno.io spec: group: reports.kyverno.io @@ -46337,24 +46074,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -46368,7 +46089,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -46496,10 +46216,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: ephemeralreports.reports.kyverno.io spec: group: reports.kyverno.io @@ -46694,24 +46414,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to + let you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -46725,7 +46429,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -46853,10 +46556,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -46991,24 +46694,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to let + you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -47022,7 +46709,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -47123,7 +46809,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -47235,10 +46920,10 @@ metadata: app.kubernetes.io/instance: kyverno app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno-crds - app.kubernetes.io/version: 3.2.6 - helm.sh/chart: crds-3.2.6 + app.kubernetes.io/version: 3.2.7-rc.1 + helm.sh/chart: crds-3.2.7-rc.1 annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: (devel) name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -47372,24 +47057,8 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: |- - ObjectReference contains enough information to let you inspect or modify the referred object. - --- - New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. - 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. - 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular - restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". - Those cannot be well described when embedded. - 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. - 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple - and the version of the actual struct is irrelevant. - 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type - will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. - - - Instead of using this type, create a locally provided and used type that is well-focused on your reference. - For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . + description: ObjectReference contains enough information to let + you inspect or modify the referred object. properties: apiVersion: description: API version of the referent. @@ -47403,7 +47072,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |- @@ -47504,7 +47172,6 @@ spec: the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. - TODO: this design is not final and this field is subject to change in the future. type: string kind: description: |-