Discover modules > cue.dev/x/kyverno > policyexception > v2
v0.4.0
#PolicyException: ¶

PolicyException declares resources to be excluded from specified policies.

apiVersion: "kyverno.io/v2" ¶

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind: "PolicyException" ¶

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata!: ¶
name!: string ¶
namespace!: string ¶
labels?: [string]: string ¶
annotations?: [string]: string ¶
spec!: ¶

Spec declares policy exception behaviors.

background?: bool ¶

Background controls if exceptions are applied to existing policies during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).

conditions?: ¶

Conditions are used to determine if a resource applies to the exception by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements.

all?:
click to see definition
[...{
	key?: null | bool | number | string | [...] | {
		...
	}
	message?:  string
	operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
	value?: null | bool | number | string | [...] | {
		...
	}
}]
¶

AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass.

any?:
click to see definition
[...{
	key?: null | bool | number | string | [...] | {
		...
	}
	message?:  string
	operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
	value?: null | bool | number | string | [...] | {
		...
	}
}]
¶

AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass.

exceptions!: [...{ policyName!: string ruleNames!: [...string] }] ¶

Exceptions is a list policy/rules to be excluded

match!: ¶

Match defines match clause used to check if a resource applies to the exception

all?:
click to see definition
[...{
	clusterRoles?: [...string]
	resources?: matchN(0, [null | bool | number | string | [...] | {
		name!:  _
		names!: _
	}]) & {
		annotations?: {
			[string]: string
		}
		kinds?: [...string]
		name?: string
		names?: [...string]
		namespaceSelector?: {
			matchExpressions?: [...{
				key!:      string
				operator!: string
				values?: [...string]
			}]
			matchLabels?: {
				[string]: string
			}
		}
		namespaces?: [...string]
		operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
		selector?: {
			matchExpressions?: [...{
				key!:      string
				operator!: string
				values?: [...string]
			}]
			matchLabels?: {
				[string]: string
			}
		}
	}
	roles?: [...string]
	subjects?: [...{
		apiGroup?:  string
		kind!:      string
		name!:      string
		namespace?: string
	}]
}]
¶

All allows specifying resources which will be ANDed

any?:
click to see definition
[...{
	clusterRoles?: [...string]
	resources?: matchN(0, [null | bool | number | string | [...] | {
		name!:  _
		names!: _
	}]) & {
		annotations?: {
			[string]: string
		}
		kinds?: [...string]
		name?: string
		names?: [...string]
		namespaceSelector?: {
			matchExpressions?: [...{
				key!:      string
				operator!: string
				values?: [...string]
			}]
			matchLabels?: {
				[string]: string
			}
		}
		namespaces?: [...string]
		operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
		selector?: {
			matchExpressions?: [...{
				key!:      string
				operator!: string
				values?: [...string]
			}]
			matchLabels?: {
				[string]: string
			}
		}
	}
	roles?: [...string]
	subjects?: [...{
		apiGroup?:  string
		kind!:      string
		name!:      string
		namespace?: string
	}]
}]
¶

Any allows specifying resources which will be ORed

podSecurity?:
click to see definition
[...{
	controlName!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
	images?: [...string]
	restrictedField?: string
	values?: [...string]
}]
¶

PodSecurity specifies the Pod Security Standard controls to be excluded. Applicable only to policies that have validate.podSecurity subrule.

Source files

  • schema.cue