Discover modules > cue.dev/x/kyverno > clusterpolicy > v1
v0.4.0
#ClusterPolicy: ¶

ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.

apiVersion: "kyverno.io/v1" ¶

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind: "ClusterPolicy" ¶

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata!: ¶
name!: string ¶
namespace?: string ¶
labels?: [string]: string ¶
annotations?: [string]: string ¶
spec!: ¶

Spec declares policy behaviors.

admission?: bool ¶

Admission controls if rules are applied during admission. Optional. Default value is "true".

applyRules?: "All" | "One" ¶

ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to `All` all rules in the policy are processed. The default is `All`.

background?: bool ¶

Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).

emitWarning?: bool ¶

EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. Enabling this option will extend admission request processing times. The default value is "false".

failurePolicy?: "Ignore" | "Fail" ¶

Deprecated, use failurePolicy under the webhookConfiguration instead.

generateExisting?: bool ¶

Deprecated, use generateExisting under the generate rule instead

generateExistingOnPolicyUpdate?: bool ¶

Deprecated, use generateExisting instead

mutateExistingOnPolicyUpdate?: bool ¶

Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead

rules?:
click to see definition
[...{
	celPreconditions?: [...{
		expression!: string
		name!:       string
	}]
	context?: [...matchN(1, [{
		configMap!: _
	}, {
		apiCall!: _
	}, {
		imageRegistry!: _
	}, {
		variable!: _
	}, {
		globalReference!: _
	}]) & {
		apiCall?: {
			data?: [...{
				key!: string
				value!: null | bool | number | string | [...] | {
					...
				}
			}]
			default?: null | bool | number | string | [...] | {
				...
			}
			jmesPath?: string
			method?:   "GET" | "POST"
			service?: {
				caBundle?: string
				headers?: [...{
					key!:   string
					value!: string
				}]
				url!: string
			}
			urlPath?: string
		}
		configMap?: {
			name!:      string
			namespace?: string
		}
		globalReference?: {
			jmesPath?: string
			name!:     string
		}
		imageRegistry?: {
			imageRegistryCredentials?: {
				allowInsecureRegistry?: bool
				providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
				secrets?: [...string]
			}
			jmesPath?:  string
			reference!: string
		}
		name!: string
		variable?: {
			default?: null | bool | number | string | [...] | {
				...
			}
			jmesPath?: string
			value?: null | bool | number | string | [...] | {
				...
			}
		}
	}]
	exclude?: matchN(0, [null | bool | number | string | [...] | {
		any!: _
		all!: _
	}]) & {
		all?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		any?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		clusterRoles?: [...string]
		resources?: matchN(0, [null | bool | number | string | [...] | {
			name!:  _
			names!: _
		}]) & {
			annotations?: {
				[string]: string
			}
			kinds?: [...string]
			name?: string
			names?: [...string]
			namespaceSelector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			namespaces?: [...string]
			operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
		}
		roles?: [...string]
		subjects?: [...{
			apiGroup?:  string
			kind!:      string
			name!:      string
			namespace?: string
		}]
	}
	generate?: {
		apiVersion?: string
		clone?: {
			name?:      string
			namespace?: string
		}
		cloneList?: {
			kinds?: [...string]
			namespace?: string
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
		}
		data?: null | bool | number | string | [...] | {
			...
		}
		foreach?: [...{
			apiVersion?: string
			clone?: {
				name?:      string
				namespace?: string
			}
			cloneList?: {
				kinds?: [...string]
				namespace?: string
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			data?: null | bool | number | string | [...] | {
				...
			}
			kind?:      string
			list?:      string
			name?:      string
			namespace?: string
			preconditions?: {
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				...
			}
			uid?: string
		}]
		generateExisting?:               bool
		kind?:                           string
		name?:                           string
		namespace?:                      string
		orphanDownstreamOnPolicyDelete?: bool
		synchronize?:                    bool
		uid?:                            string
	}
	imageExtractors?: {
		[string]: [...{
			jmesPath?: string
			key?:      string
			name?:     string
			path!:     string
			value?:    string
		}]
	}
	match!: matchN(0, [null | bool | number | string | [...] | {
		any!: _
		all!: _
	}]) & {
		all?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		any?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		clusterRoles?: [...string]
		resources?: matchN(0, [null | bool | number | string | [...] | {
			name!:  _
			names!: _
		}]) & {
			annotations?: {
				[string]: string
			}
			kinds?: [...string]
			name?: string
			names?: [...string]
			namespaceSelector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			namespaces?: [...string]
			operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
		}
		roles?: [...string]
		subjects?: [...{
			apiGroup?:  string
			kind!:      string
			name!:      string
			namespace?: string
		}]
	}
	mutate?: {
		foreach?: [...{
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			foreach?: null | bool | number | string | [...] | {
				...
			}
			list?:  string
			order?: "Ascending" | "Descending"
			patchStrategicMerge?: null | bool | number | string | [...] | {
				...
			}
			patchesJson6902?: string
			preconditions?: {
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				...
			}
		}]
		mutateExistingOnPolicyUpdate?: bool
		patchStrategicMerge?: null | bool | number | string | [...] | {
			...
		}
		patchesJson6902?: string
		targets?: [...{
			apiVersion?: string
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			kind?:      string
			name?:      string
			namespace?: string
			preconditions?: null | bool | number | string | [...] | {
				...
			}
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			uid?: string
		}]
	}
	name!: strings.MaxRunes(63)
	preconditions?: null | bool | number | string | [...] | {
		...
	}
	reportProperties?: {
		[string]: string
	}
	skipBackgroundRequests?: bool
	validate?: {
		allowExistingViolations?: bool
		anyPattern?: null | bool | number | string | [...] | {
			...
		}
		assert?: {
			...
		}
		cel?: {
			auditAnnotations?: [...{
				key!:             string
				valueExpression!: string
			}]
			expressions?: [...{
				expression!:        string
				message?:           string
				messageExpression?: string
				reason?:            string
			}]
			paramKind?: {
				apiVersion?: string
				kind?:       string
			}
			paramRef?: {
				name?:                    string
				namespace?:               string
				parameterNotFoundAction?: string
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			variables?: [...{
				expression!: string
				name!:       string
			}]
		}
		deny?: {
			conditions?: null | bool | number | string | [...] | {
				...
			}
		}
		failureAction?: "Audit" | "Enforce"
		failureActionOverrides?: [...{
			action?: "audit" | "enforce" | "Audit" | "Enforce"
			namespaceSelector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			namespaces?: [...string]
		}]
		foreach?: [...{
			anyPattern?: null | bool | number | string | [...] | {
				...
			}
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			deny?: {
				conditions?: null | bool | number | string | [...] | {
					...
				}
			}
			elementScope?: bool
			foreach?: null | bool | number | string | [...] | {
				...
			}
			list?: string
			pattern?: null | bool | number | string | [...] | {
				...
			}
			preconditions?: {
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				...
			}
		}]
		manifests?: {
			annotationDomain?: string
			attestors?: [...{
				count?: int & >=1
				entries?: [...{
					annotations?: {
						[string]: string
					}
					attestor?: null | bool | number | string | [...] | {
						...
					}
					certificates?: {
						cert?:      string
						certChain?: string
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
					}
					keyless?: {
						additionalExtensions?: {
							[string]: string
						}
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						issuer?:       string
						issuerRegExp?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						roots?:         string
						subject?:       string
						subjectRegExp?: string
					}
					keys?: {
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						kms?:        string
						publicKeys?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						secret?: {
							name!:      string
							namespace!: string
						}
						signatureAlgorithm?: string
					}
					repository?:         string
					signatureAlgorithm?: string
				}]
			}]
			dryRun?: {
				enable?:    bool
				namespace?: string
			}
			ignoreFields?: [...{
				fields?: [...string]
				objects?: [...{
					group?:     string
					kind?:      string
					name?:      string
					namespace?: string
					version?:   string
				}]
			}]
			repository?: string
		}
		message?: string
		pattern?: null | bool | number | string | [...] | {
			...
		}
		podSecurity?: {
			exclude?: [...{
				controlName!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
				images?: [...string]
				restrictedField?: string
				values?: [...string]
			}]
			level?:   "privileged" | "baseline" | "restricted"
			version?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
		}
	}
	verifyImages?: [...{
		additionalExtensions?: {
			[string]: string
		}
		annotations?: {
			[string]: string
		}
		attestations?: [...{
			attestors?: [...{
				count?: int & >=1
				entries?: [...{
					annotations?: {
						[string]: string
					}
					attestor?: null | bool | number | string | [...] | {
						...
					}
					certificates?: {
						cert?:      string
						certChain?: string
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
					}
					keyless?: {
						additionalExtensions?: {
							[string]: string
						}
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						issuer?:       string
						issuerRegExp?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						roots?:         string
						subject?:       string
						subjectRegExp?: string
					}
					keys?: {
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						kms?:        string
						publicKeys?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						secret?: {
							name!:      string
							namespace!: string
						}
						signatureAlgorithm?: string
					}
					repository?:         string
					signatureAlgorithm?: string
				}]
			}]
			conditions?: [...{
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
			}]
			name?:          string
			predicateType?: string
			type?:          string
		}]
		attestors?: [...{
			count?: int & >=1
			entries?: [...{
				annotations?: {
					[string]: string
				}
				attestor?: null | bool | number | string | [...] | {
					...
				}
				certificates?: {
					cert?:      string
					certChain?: string
					ctlog?: {
						ignoreSCT?:    bool
						pubkey?:       string
						tsaCertChain?: string
					}
					rekor?: {
						ignoreTlog?: bool
						pubkey?:     string
						url?:        string
					}
				}
				keyless?: {
					additionalExtensions?: {
						[string]: string
					}
					ctlog?: {
						ignoreSCT?:    bool
						pubkey?:       string
						tsaCertChain?: string
					}
					issuer?:       string
					issuerRegExp?: string
					rekor?: {
						ignoreTlog?: bool
						pubkey?:     string
						url?:        string
					}
					roots?:         string
					subject?:       string
					subjectRegExp?: string
				}
				keys?: {
					ctlog?: {
						ignoreSCT?:    bool
						pubkey?:       string
						tsaCertChain?: string
					}
					kms?:        string
					publicKeys?: string
					rekor?: {
						ignoreTlog?: bool
						pubkey?:     string
						url?:        string
					}
					secret?: {
						name!:      string
						namespace!: string
					}
					signatureAlgorithm?: string
				}
				repository?:         string
				signatureAlgorithm?: string
			}]
		}]
		cosignOCI11?:   bool
		failureAction?: "Audit" | "Enforce"
		image?:         string
		imageReferences?: [...string]
		imageRegistryCredentials?: {
			allowInsecureRegistry?: bool
			providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
			secrets?: [...string]
		}
		issuer?:       string
		key?:          string
		mutateDigest?: bool
		repository?:   string
		required?:     bool
		roots?:        string
		skipImageReferences?: [...string]
		subject?:  string
		type?:     "Cosign" | "SigstoreBundle" | "Notary"
		useCache?: bool
		validate?: {
			deny?: {
				conditions?: null | bool | number | string | [...] | {
					...
				}
			}
			message?: string
		}
		verifyDigest?: bool
	}]
}]
¶

Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.

schemaValidation?: bool ¶

Deprecated.

useServerSideApply?: bool ¶

UseServerSideApply controls whether to use server-side apply for generate rules If is set to "true" create & update for generate rules will use apply instead of create/update. Defaults to "false" if not specified.

validationFailureAction?: "audit" | "enforce" | "Audit" | "Enforce" ¶

Deprecated, use validationFailureAction under the validate rule instead.

validationFailureActionOverrides?:
click to see definition
[...{
	action?: "audit" | "enforce" | "Audit" | "Enforce"
	namespaceSelector?: {
		matchExpressions?: [...{
			key!:      string
			operator!: string
			values?: [...string]
		}]
		matchLabels?: {
			[string]: string
		}
	}
	namespaces?: [...string]
}]
¶

Deprecated, use validationFailureActionOverrides under the validate rule instead.

webhookConfiguration?: ¶

WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.

failurePolicy?: "Ignore" | "Fail" ¶

FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail.

matchConditions?: [...{ expression!: string name!: string }] ¶

MatchCondition configures admission webhook matchConditions. Requires Kubernetes 1.27 or later.

timeoutSeconds?: int & >=-2147483648 & <=2147483647 ¶

TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.

webhookTimeoutSeconds?: int & >=-2147483648 & <=2147483647 ¶

Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.

status?: ¶

Status contains policy runtime data.

autogen?: ¶

AutogenStatus contains autogen status information.

rules?:
click to see definition
[...{
	celPreconditions?: [...{
		expression!: string
		name!:       string
	}]
	context?: [...matchN(1, [{
		configMap!: _
	}, {
		apiCall!: _
	}, {
		imageRegistry!: _
	}, {
		variable!: _
	}, {
		globalReference!: _
	}]) & {
		apiCall?: {
			data?: [...{
				key!: string
				value!: null | bool | number | string | [...] | {
					...
				}
			}]
			default?: null | bool | number | string | [...] | {
				...
			}
			jmesPath?: string
			method?:   "GET" | "POST"
			service?: {
				caBundle?: string
				headers?: [...{
					key!:   string
					value!: string
				}]
				url!: string
			}
			urlPath?: string
		}
		configMap?: {
			name!:      string
			namespace?: string
		}
		globalReference?: {
			jmesPath?: string
			name!:     string
		}
		imageRegistry?: {
			imageRegistryCredentials?: {
				allowInsecureRegistry?: bool
				providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
				secrets?: [...string]
			}
			jmesPath?:  string
			reference!: string
		}
		name!: string
		variable?: {
			default?: null | bool | number | string | [...] | {
				...
			}
			jmesPath?: string
			value?: null | bool | number | string | [...] | {
				...
			}
		}
	}]
	exclude?: matchN(0, [null | bool | number | string | [...] | {
		any!: _
		all!: _
	}]) & {
		all?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		any?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		clusterRoles?: [...string]
		resources?: matchN(0, [null | bool | number | string | [...] | {
			name!:  _
			names!: _
		}]) & {
			annotations?: {
				[string]: string
			}
			kinds?: [...string]
			name?: string
			names?: [...string]
			namespaceSelector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			namespaces?: [...string]
			operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
		}
		roles?: [...string]
		subjects?: [...{
			apiGroup?:  string
			kind!:      string
			name!:      string
			namespace?: string
		}]
	}
	generate?: {
		apiVersion?: string
		clone?: {
			name?:      string
			namespace?: string
		}
		cloneList?: {
			kinds?: [...string]
			namespace?: string
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
		}
		data?: null | bool | number | string | [...] | {
			...
		}
		foreach?: [...{
			apiVersion?: string
			clone?: {
				name?:      string
				namespace?: string
			}
			cloneList?: {
				kinds?: [...string]
				namespace?: string
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			data?: null | bool | number | string | [...] | {
				...
			}
			kind?:      string
			list?:      string
			name?:      string
			namespace?: string
			preconditions?: {
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				...
			}
			uid?: string
		}]
		generateExisting?:               bool
		kind?:                           string
		name?:                           string
		namespace?:                      string
		orphanDownstreamOnPolicyDelete?: bool
		synchronize?:                    bool
		uid?:                            string
	}
	imageExtractors?: {
		[string]: [...{
			jmesPath?: string
			key?:      string
			name?:     string
			path!:     string
			value?:    string
		}]
	}
	match!: matchN(0, [null | bool | number | string | [...] | {
		any!: _
		all!: _
	}]) & {
		all?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		any?: [...{
			clusterRoles?: [...string]
			resources?: matchN(0, [null | bool | number | string | [...] | {
				name!:  _
				names!: _
			}]) & {
				annotations?: {
					[string]: string
				}
				kinds?: [...string]
				name?: string
				names?: [...string]
				namespaceSelector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
				namespaces?: [...string]
				operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			roles?: [...string]
			subjects?: [...{
				apiGroup?:  string
				kind!:      string
				name!:      string
				namespace?: string
			}]
		}]
		clusterRoles?: [...string]
		resources?: matchN(0, [null | bool | number | string | [...] | {
			name!:  _
			names!: _
		}]) & {
			annotations?: {
				[string]: string
			}
			kinds?: [...string]
			name?: string
			names?: [...string]
			namespaceSelector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			namespaces?: [...string]
			operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
		}
		roles?: [...string]
		subjects?: [...{
			apiGroup?:  string
			kind!:      string
			name!:      string
			namespace?: string
		}]
	}
	mutate?: {
		foreach?: [...{
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			foreach?: null | bool | number | string | [...] | {
				...
			}
			list?:  string
			order?: "Ascending" | "Descending"
			patchStrategicMerge?: null | bool | number | string | [...] | {
				...
			}
			patchesJson6902?: string
			preconditions?: {
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				...
			}
		}]
		mutateExistingOnPolicyUpdate?: bool
		patchStrategicMerge?: null | bool | number | string | [...] | {
			...
		}
		patchesJson6902?: string
		targets?: [...{
			apiVersion?: string
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			kind?:      string
			name?:      string
			namespace?: string
			preconditions?: null | bool | number | string | [...] | {
				...
			}
			selector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			uid?: string
		}]
	}
	name!: strings.MaxRunes(63)
	preconditions?: null | bool | number | string | [...] | {
		...
	}
	reportProperties?: {
		[string]: string
	}
	skipBackgroundRequests?: bool
	validate?: {
		allowExistingViolations?: bool
		anyPattern?: null | bool | number | string | [...] | {
			...
		}
		assert?: {
			...
		}
		cel?: {
			auditAnnotations?: [...{
				key!:             string
				valueExpression!: string
			}]
			expressions?: [...{
				expression!:        string
				message?:           string
				messageExpression?: string
				reason?:            string
			}]
			paramKind?: {
				apiVersion?: string
				kind?:       string
			}
			paramRef?: {
				name?:                    string
				namespace?:               string
				parameterNotFoundAction?: string
				selector?: {
					matchExpressions?: [...{
						key!:      string
						operator!: string
						values?: [...string]
					}]
					matchLabels?: {
						[string]: string
					}
				}
			}
			variables?: [...{
				expression!: string
				name!:       string
			}]
		}
		deny?: {
			conditions?: null | bool | number | string | [...] | {
				...
			}
		}
		failureAction?: "Audit" | "Enforce"
		failureActionOverrides?: [...{
			action?: "audit" | "enforce" | "Audit" | "Enforce"
			namespaceSelector?: {
				matchExpressions?: [...{
					key!:      string
					operator!: string
					values?: [...string]
				}]
				matchLabels?: {
					[string]: string
				}
			}
			namespaces?: [...string]
		}]
		foreach?: [...{
			anyPattern?: null | bool | number | string | [...] | {
				...
			}
			context?: [...matchN(1, [{
				configMap!: _
			}, {
				apiCall!: _
			}, {
				imageRegistry!: _
			}, {
				variable!: _
			}, {
				globalReference!: _
			}]) & {
				apiCall?: {
					data?: [...{
						key!: string
						value!: null | bool | number | string | [...] | {
							...
						}
					}]
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					method?:   "GET" | "POST"
					service?: {
						caBundle?: string
						headers?: [...{
							key!:   string
							value!: string
						}]
						url!: string
					}
					urlPath?: string
				}
				configMap?: {
					name!:      string
					namespace?: string
				}
				globalReference?: {
					jmesPath?: string
					name!:     string
				}
				imageRegistry?: {
					imageRegistryCredentials?: {
						allowInsecureRegistry?: bool
						providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
						secrets?: [...string]
					}
					jmesPath?:  string
					reference!: string
				}
				name!: string
				variable?: {
					default?: null | bool | number | string | [...] | {
						...
					}
					jmesPath?: string
					value?: null | bool | number | string | [...] | {
						...
					}
				}
			}]
			deny?: {
				conditions?: null | bool | number | string | [...] | {
					...
				}
			}
			elementScope?: bool
			foreach?: null | bool | number | string | [...] | {
				...
			}
			list?: string
			pattern?: null | bool | number | string | [...] | {
				...
			}
			preconditions?: {
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				...
			}
		}]
		manifests?: {
			annotationDomain?: string
			attestors?: [...{
				count?: int & >=1
				entries?: [...{
					annotations?: {
						[string]: string
					}
					attestor?: null | bool | number | string | [...] | {
						...
					}
					certificates?: {
						cert?:      string
						certChain?: string
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
					}
					keyless?: {
						additionalExtensions?: {
							[string]: string
						}
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						issuer?:       string
						issuerRegExp?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						roots?:         string
						subject?:       string
						subjectRegExp?: string
					}
					keys?: {
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						kms?:        string
						publicKeys?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						secret?: {
							name!:      string
							namespace!: string
						}
						signatureAlgorithm?: string
					}
					repository?:         string
					signatureAlgorithm?: string
				}]
			}]
			dryRun?: {
				enable?:    bool
				namespace?: string
			}
			ignoreFields?: [...{
				fields?: [...string]
				objects?: [...{
					group?:     string
					kind?:      string
					name?:      string
					namespace?: string
					version?:   string
				}]
			}]
			repository?: string
		}
		message?: string
		pattern?: null | bool | number | string | [...] | {
			...
		}
		podSecurity?: {
			exclude?: [...{
				controlName!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
				images?: [...string]
				restrictedField?: string
				values?: [...string]
			}]
			level?:   "privileged" | "baseline" | "restricted"
			version?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
		}
	}
	verifyImages?: [...{
		additionalExtensions?: {
			[string]: string
		}
		annotations?: {
			[string]: string
		}
		attestations?: [...{
			attestors?: [...{
				count?: int & >=1
				entries?: [...{
					annotations?: {
						[string]: string
					}
					attestor?: null | bool | number | string | [...] | {
						...
					}
					certificates?: {
						cert?:      string
						certChain?: string
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
					}
					keyless?: {
						additionalExtensions?: {
							[string]: string
						}
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						issuer?:       string
						issuerRegExp?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						roots?:         string
						subject?:       string
						subjectRegExp?: string
					}
					keys?: {
						ctlog?: {
							ignoreSCT?:    bool
							pubkey?:       string
							tsaCertChain?: string
						}
						kms?:        string
						publicKeys?: string
						rekor?: {
							ignoreTlog?: bool
							pubkey?:     string
							url?:        string
						}
						secret?: {
							name!:      string
							namespace!: string
						}
						signatureAlgorithm?: string
					}
					repository?:         string
					signatureAlgorithm?: string
				}]
			}]
			conditions?: [...{
				all?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
				any?: [...{
					key?: null | bool | number | string | [...] | {
						...
					}
					message?:  string
					operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
					value?: null | bool | number | string | [...] | {
						...
					}
				}]
			}]
			name?:          string
			predicateType?: string
			type?:          string
		}]
		attestors?: [...{
			count?: int & >=1
			entries?: [...{
				annotations?: {
					[string]: string
				}
				attestor?: null | bool | number | string | [...] | {
					...
				}
				certificates?: {
					cert?:      string
					certChain?: string
					ctlog?: {
						ignoreSCT?:    bool
						pubkey?:       string
						tsaCertChain?: string
					}
					rekor?: {
						ignoreTlog?: bool
						pubkey?:     string
						url?:        string
					}
				}
				keyless?: {
					additionalExtensions?: {
						[string]: string
					}
					ctlog?: {
						ignoreSCT?:    bool
						pubkey?:       string
						tsaCertChain?: string
					}
					issuer?:       string
					issuerRegExp?: string
					rekor?: {
						ignoreTlog?: bool
						pubkey?:     string
						url?:        string
					}
					roots?:         string
					subject?:       string
					subjectRegExp?: string
				}
				keys?: {
					ctlog?: {
						ignoreSCT?:    bool
						pubkey?:       string
						tsaCertChain?: string
					}
					kms?:        string
					publicKeys?: string
					rekor?: {
						ignoreTlog?: bool
						pubkey?:     string
						url?:        string
					}
					secret?: {
						name!:      string
						namespace!: string
					}
					signatureAlgorithm?: string
				}
				repository?:         string
				signatureAlgorithm?: string
			}]
		}]
		cosignOCI11?:   bool
		failureAction?: "Audit" | "Enforce"
		image?:         string
		imageReferences?: [...string]
		imageRegistryCredentials?: {
			allowInsecureRegistry?: bool
			providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
			secrets?: [...string]
		}
		issuer?:       string
		key?:          string
		mutateDigest?: bool
		repository?:   string
		required?:     bool
		roots?:        string
		skipImageReferences?: [...string]
		subject?:  string
		type?:     "Cosign" | "SigstoreBundle" | "Notary"
		useCache?: bool
		validate?: {
			deny?: {
				conditions?: null | bool | number | string | [...] | {
					...
				}
			}
			message?: string
		}
		verifyDigest?: bool
	}]
}]
¶

Rules is a list of Rule instances. It contains auto generated rules added for pod controllers

conditions?:
click to see definition
[...{
	lastTransitionTime!: time.Time
	message!:            strings.MaxRunes(32768)
	observedGeneration?: int & >=0 & <=9223372036854775807
	reason!: strings.MaxRunes(1024) & strings.MinRunes(1) & {
		=~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
	}
	status!: "True" | "False" | "Unknown"
	type!: strings.MaxRunes(316) & {
		=~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
	}
}]
¶
ready?: bool ¶

Deprecated in favor of Conditions

rulecount?: ¶

RuleCountStatus contains four variables which describes counts for validate, generate, mutate and verify images rules

generate!: int ¶

Count for generate rules in policy

mutate!: int ¶

Count for mutate rules in policy

validate!: int ¶

Count for validate rules in policy

verifyimages!: int ¶

Count for verify image rules in policy

validatingadmissionpolicy?: ¶

ValidatingAdmissionPolicy contains status information

generated!: bool ¶

Generated indicates whether a validating admission policy is generated from the policy or not

message!: string ¶

Message is a human readable message indicating details about the generation of validating admission policy It is an empty string when validating admission policy is successfully generated.

Source files

  • schema.cue