APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
Spec defines policy behaviors and contains one or more rules.
Admission controls if rules are applied during admission. Optional. Default value is "true".
ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to `One` processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to `All` all rules in the policy are processed. The default is `All`.
Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
EmitWarning enables API response warnings for mutate policy rules or validate policy rules with validationFailureAction set to Audit. Enabling this option will extend admission request processing times. The default value is "false".
Deprecated, use failurePolicy under the webhookConfiguration instead.
Deprecated, use generateExisting under the generate rule instead
Deprecated, use generateExisting instead
Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
[...{
celPreconditions?: [...{
expression!: string
name!: string
}]
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
exclude?: matchN(0, [null | bool | number | string | [...] | {
any!: _
all!: _
}]) & {
all?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
any?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
}
generate?: {
apiVersion?: string
clone?: {
name?: string
namespace?: string
}
cloneList?: {
kinds?: [...string]
namespace?: string
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
data?: null | bool | number | string | [...] | {
...
}
foreach?: [...{
apiVersion?: string
clone?: {
name?: string
namespace?: string
}
cloneList?: {
kinds?: [...string]
namespace?: string
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
data?: null | bool | number | string | [...] | {
...
}
kind?: string
list?: string
name?: string
namespace?: string
preconditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
...
}
uid?: string
}]
generateExisting?: bool
kind?: string
name?: string
namespace?: string
orphanDownstreamOnPolicyDelete?: bool
synchronize?: bool
uid?: string
}
imageExtractors?: {
[string]: [...{
jmesPath?: string
key?: string
name?: string
path!: string
value?: string
}]
}
match!: matchN(0, [null | bool | number | string | [...] | {
any!: _
all!: _
}]) & {
all?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
any?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
}
mutate?: {
foreach?: [...{
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
foreach?: null | bool | number | string | [...] | {
...
}
list?: string
order?: "Ascending" | "Descending"
patchStrategicMerge?: null | bool | number | string | [...] | {
...
}
patchesJson6902?: string
preconditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
...
}
}]
mutateExistingOnPolicyUpdate?: bool
patchStrategicMerge?: null | bool | number | string | [...] | {
...
}
patchesJson6902?: string
targets?: [...{
apiVersion?: string
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
kind?: string
name?: string
namespace?: string
preconditions?: null | bool | number | string | [...] | {
...
}
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
uid?: string
}]
}
name!: strings.MaxRunes(63)
preconditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
}
skipBackgroundRequests?: bool
validate?: {
anyPattern?: null | bool | number | string | [...] | {
...
}
assert?: {
...
}
cel?: {
auditAnnotations?: [...{
key!: string
valueExpression!: string
}]
expressions?: [...{
expression!: string
message?: string
messageExpression?: string
reason?: string
}]
paramKind?: {
apiVersion?: string
kind?: string
}
paramRef?: {
name?: string
namespace?: string
parameterNotFoundAction?: string
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
variables?: [...{
expression!: string
name!: string
}]
}
deny?: {
conditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
}
}
failureAction?: "Audit" | "Enforce"
failureActionOverrides?: [...{
action?: "audit" | "enforce" | "Audit" | "Enforce"
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
}]
foreach?: [...{
anyPattern?: null | bool | number | string | [...] | {
...
}
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
deny?: {
conditions?: null | bool | number | string | [...] | {
...
}
}
elementScope?: bool
foreach?: null | bool | number | string | [...] | {
...
}
list?: string
pattern?: null | bool | number | string | [...] | {
...
}
preconditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
...
}
}]
manifests?: {
annotationDomain?: string
attestors?: [...{
count?: int & >=1
entries?: [...{
annotations?: {
[string]: string
}
attestor?: null | bool | number | string | [...] | {
...
}
certificates?: {
cert?: string
certChain?: string
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
}
keyless?: {
additionalExtensions?: {
[string]: string
}
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
issuer?: string
issuerRegExp?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
roots?: string
subject?: string
subjectRegExp?: string
}
keys?: {
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
kms?: string
publicKeys?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
secret?: {
name!: string
namespace!: string
}
signatureAlgorithm?: string
}
repository?: string
signatureAlgorithm?: string
}]
}]
dryRun?: {
enable?: bool
namespace?: string
}
ignoreFields?: [...{
fields?: [...string]
objects?: [...{
group?: string
kind?: string
name?: string
namespace?: string
version?: string
}]
}]
repository?: string
}
message?: string
pattern?: null | bool | number | string | [...] | {
...
}
podSecurity?: {
exclude?: [...{
controlName!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
images?: [...string]
restrictedField?: string
values?: [...string]
}]
level?: "privileged" | "baseline" | "restricted"
version?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
}
}
verifyImages?: [...{
attestations?: [...{
attestors?: [...{
count?: int & >=1
entries?: [...{
annotations?: {
[string]: string
}
attestor?: null | bool | number | string | [...] | {
...
}
certificates?: {
cert?: string
certChain?: string
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
}
keyless?: {
additionalExtensions?: {
[string]: string
}
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
issuer?: string
issuerRegExp?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
roots?: string
subject?: string
subjectRegExp?: string
}
keys?: {
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
kms?: string
publicKeys?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
secret?: {
name!: string
namespace!: string
}
signatureAlgorithm?: string
}
repository?: string
signatureAlgorithm?: string
}]
}]
conditions?: [...{
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
}]
name?: string
predicateType?: string
type?: string
}]
attestors?: [...{
count?: int & >=1
entries?: [...{
annotations?: {
[string]: string
}
attestor?: null | bool | number | string | [...] | {
...
}
certificates?: {
cert?: string
certChain?: string
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
}
keyless?: {
additionalExtensions?: {
[string]: string
}
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
issuer?: string
issuerRegExp?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
roots?: string
subject?: string
subjectRegExp?: string
}
keys?: {
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
kms?: string
publicKeys?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
secret?: {
name!: string
namespace!: string
}
signatureAlgorithm?: string
}
repository?: string
signatureAlgorithm?: string
}]
}]
failureAction?: "Audit" | "Enforce"
imageReferences?: [...string]
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
mutateDigest?: bool
repository?: string
required?: bool
skipImageReferences?: [...string]
type?: "Cosign" | "SigstoreBundle" | "Notary"
useCache?: bool
validate?: {
deny?: {
conditions?: null | bool | number | string | [...] | {
...
}
}
message?: string
}
verifyDigest?: bool
}]
}]Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.
Deprecated.
UseServerSideApply controls whether to use server-side apply for generate rules If is set to "true" create & update for generate rules will use apply instead of create/update. Defaults to "false" if not specified.
Deprecated, use validationFailureAction under the validate rule instead.
[...{
action?: "audit" | "enforce" | "Audit" | "Enforce"
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
}]Deprecated, use validationFailureActionOverrides under the validate rule instead.
WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail.
MatchCondition configures admission webhook matchConditions. Requires Kubernetes 1.27 or later.
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
Status contains policy runtime data.
AutogenStatus contains autogen status information.
[...{
celPreconditions?: [...{
expression!: string
name!: string
}]
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
exclude?: matchN(0, [null | bool | number | string | [...] | {
any!: _
all!: _
}]) & {
all?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
any?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}
generate?: {
apiVersion?: string
clone?: {
name?: string
namespace?: string
}
cloneList?: {
kinds?: [...string]
namespace?: string
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
data?: null | bool | number | string | [...] | {
...
}
foreach?: [...{
apiVersion?: string
clone?: {
name?: string
namespace?: string
}
cloneList?: {
kinds?: [...string]
namespace?: string
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
data?: null | bool | number | string | [...] | {
...
}
kind?: string
list?: string
name?: string
namespace?: string
preconditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
...
}
uid?: string
}]
generateExisting?: bool
kind?: string
name?: string
namespace?: string
orphanDownstreamOnPolicyDelete?: bool
synchronize?: bool
uid?: string
}
imageExtractors?: {
[string]: [...{
jmesPath?: string
key?: string
name?: string
path!: string
value?: string
}]
}
match!: matchN(0, [null | bool | number | string | [...] | {
any!: _
all!: _
}]) & {
all?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
any?: [...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}
mutate?: {
foreach?: [...{
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
foreach?: null | bool | number | string | [...] | {
...
}
list?: string
order?: "Ascending" | "Descending"
patchStrategicMerge?: null | bool | number | string | [...] | {
...
}
patchesJson6902?: string
preconditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
...
}
}]
mutateExistingOnPolicyUpdate?: bool
patchStrategicMerge?: null | bool | number | string | [...] | {
...
}
patchesJson6902?: string
targets?: [...{
apiVersion?: string
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
kind?: string
name?: string
namespace?: string
preconditions?: null | bool | number | string | [...] | {
...
}
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
uid?: string
}]
}
name!: strings.MaxRunes(63)
preconditions?: null | bool | number | string | [...] | {
...
}
reportProperties?: {
[string]: string
}
skipBackgroundRequests?: bool
validate?: {
allowExistingViolations?: bool
anyPattern?: null | bool | number | string | [...] | {
...
}
assert?: {
...
}
cel?: {
auditAnnotations?: [...{
key!: string
valueExpression!: string
}]
expressions?: [...{
expression!: string
message?: string
messageExpression?: string
reason?: string
}]
paramKind?: {
apiVersion?: string
kind?: string
}
paramRef?: {
name?: string
namespace?: string
parameterNotFoundAction?: string
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
variables?: [...{
expression!: string
name!: string
}]
}
deny?: {
conditions?: null | bool | number | string | [...] | {
...
}
}
failureAction?: "Audit" | "Enforce"
failureActionOverrides?: [...{
action?: "audit" | "enforce" | "Audit" | "Enforce"
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
}]
foreach?: [...{
anyPattern?: null | bool | number | string | [...] | {
...
}
context?: [...matchN(1, [{
configMap!: _
}, {
apiCall!: _
}, {
imageRegistry!: _
}, {
variable!: _
}, {
globalReference!: _
}]) & {
apiCall?: {
data?: [...{
key!: string
value!: null | bool | number | string | [...] | {
...
}
}]
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
method?: "GET" | "POST"
service?: {
caBundle?: string
headers?: [...{
key!: string
value!: string
}]
url!: string
}
urlPath?: string
}
configMap?: {
name!: string
namespace?: string
}
globalReference?: {
jmesPath?: string
name!: string
}
imageRegistry?: {
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
jmesPath?: string
reference!: string
}
name!: string
variable?: {
default?: null | bool | number | string | [...] | {
...
}
jmesPath?: string
value?: null | bool | number | string | [...] | {
...
}
}
}]
deny?: {
conditions?: null | bool | number | string | [...] | {
...
}
}
elementScope?: bool
foreach?: null | bool | number | string | [...] | {
...
}
list?: string
pattern?: null | bool | number | string | [...] | {
...
}
preconditions?: {
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
...
}
}]
manifests?: {
annotationDomain?: string
attestors?: [...{
count?: int & >=1
entries?: [...{
annotations?: {
[string]: string
}
attestor?: null | bool | number | string | [...] | {
...
}
certificates?: {
cert?: string
certChain?: string
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
}
keyless?: {
additionalExtensions?: {
[string]: string
}
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
issuer?: string
issuerRegExp?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
roots?: string
subject?: string
subjectRegExp?: string
}
keys?: {
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
kms?: string
publicKeys?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
secret?: {
name!: string
namespace!: string
}
signatureAlgorithm?: string
}
repository?: string
signatureAlgorithm?: string
}]
}]
dryRun?: {
enable?: bool
namespace?: string
}
ignoreFields?: [...{
fields?: [...string]
objects?: [...{
group?: string
kind?: string
name?: string
namespace?: string
version?: string
}]
}]
repository?: string
}
message?: string
pattern?: null | bool | number | string | [...] | {
...
}
podSecurity?: {
exclude?: [...{
controlName!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
images?: [...string]
restrictedField?: string
values?: [...string]
}]
level?: "privileged" | "baseline" | "restricted"
version?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
}
}
verifyImages?: [...{
additionalExtensions?: {
[string]: string
}
annotations?: {
[string]: string
}
attestations?: [...{
attestors?: [...{
count?: int & >=1
entries?: [...{
annotations?: {
[string]: string
}
attestor?: null | bool | number | string | [...] | {
...
}
certificates?: {
cert?: string
certChain?: string
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
}
keyless?: {
additionalExtensions?: {
[string]: string
}
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
issuer?: string
issuerRegExp?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
roots?: string
subject?: string
subjectRegExp?: string
}
keys?: {
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
kms?: string
publicKeys?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
secret?: {
name!: string
namespace!: string
}
signatureAlgorithm?: string
}
repository?: string
signatureAlgorithm?: string
}]
}]
conditions?: [...{
all?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
any?: [...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]
}]
name?: string
predicateType?: string
type?: string
}]
attestors?: [...{
count?: int & >=1
entries?: [...{
annotations?: {
[string]: string
}
attestor?: null | bool | number | string | [...] | {
...
}
certificates?: {
cert?: string
certChain?: string
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
}
keyless?: {
additionalExtensions?: {
[string]: string
}
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
issuer?: string
issuerRegExp?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
roots?: string
subject?: string
subjectRegExp?: string
}
keys?: {
ctlog?: {
ignoreSCT?: bool
pubkey?: string
tsaCertChain?: string
}
kms?: string
publicKeys?: string
rekor?: {
ignoreTlog?: bool
pubkey?: string
url?: string
}
secret?: {
name!: string
namespace!: string
}
signatureAlgorithm?: string
}
repository?: string
signatureAlgorithm?: string
}]
}]
cosignOCI11?: bool
failureAction?: "Audit" | "Enforce"
image?: string
imageReferences?: [...string]
imageRegistryCredentials?: {
allowInsecureRegistry?: bool
providers?: [..."default" | "amazon" | "azure" | "google" | "github"]
secrets?: [...string]
}
issuer?: string
key?: string
mutateDigest?: bool
repository?: string
required?: bool
roots?: string
skipImageReferences?: [...string]
subject?: string
type?: "Cosign" | "SigstoreBundle" | "Notary"
useCache?: bool
validate?: {
deny?: {
conditions?: null | bool | number | string | [...] | {
...
}
}
message?: string
}
verifyDigest?: bool
}]
}]Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
[...{
lastTransitionTime!: time.Time
message!: strings.MaxRunes(32768)
observedGeneration?: int & >=0 & <=9223372036854775807
reason!: strings.MaxRunes(1024) & strings.MinRunes(1) & {
=~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
}
status!: "True" | "False" | "Unknown"
type!: strings.MaxRunes(316) & {
=~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
}
}]RuleCountStatus contains four variables which describes counts for validate, generate, mutate and verify images rules
Count for verify image rules in policy
ValidatingAdmissionPolicy contains status information
Generated indicates whether a validating admission policy is generated from the policy or not
Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.