APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
Spec declares policy exception behaviors.
Background controls if exceptions are applied to existing policies during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
Conditions are used to determine if a resource applies to the exception by evaluating a set of conditions. The declaration can contain nested `any` or `all` statements.
[...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]AllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, all of the conditions need to pass.
[...{
key?: null | bool | number | string | [...] | {
...
}
message?: string
operator?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
value?: null | bool | number | string | [...] | {
...
}
}]AnyConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. Here, at least one of the conditions need to pass.
Exceptions is a list policy/rules to be excluded
Match defines match clause used to check if a resource applies to the exception
[...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]All allows specifying resources which will be ANDed
[...{
clusterRoles?: [...string]
resources?: matchN(0, [null | bool | number | string | [...] | {
name!: _
names!: _
}]) & {
annotations?: {
[string]: string
}
kinds?: [...string]
name?: string
names?: [...string]
namespaceSelector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
namespaces?: [...string]
operations?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
selector?: {
matchExpressions?: [...{
key!: string
operator!: string
values?: [...string]
}]
matchLabels?: {
[string]: string
}
}
}
roles?: [...string]
subjects?: [...{
apiGroup?: string
kind!: string
name!: string
namespace?: string
}]
}]Any allows specifying resources which will be ORed
[...{
controlName!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
images?: [...string]
restrictedField?: string
values?: [...string]
}]PodSecurity specifies the Pod Security Standard controls to be excluded. Applicable only to policies that have validate.podSecurity subrule.
PolicyException declares resources to be excluded from specified policies.