CUE Central Registry

cue.dev/x/k8s.io@v0.7.0

api/admissionregistration/v1/schema.cue raw

   1package v1
   2
   3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
   4
   5// AuditAnnotation describes how to produce an audit annotation
   6// for an API request.
   7#AuditAnnotation: {
   8	// key specifies the audit annotation key. The audit annotation
   9	// keys of a ValidatingAdmissionPolicy must be unique. The key
  10	// must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more
  11	// than 63 bytes in length.
  12	//
  13	// The key is combined with the resource name of the
  14	// ValidatingAdmissionPolicy to construct an audit annotation
  15	// key: "{ValidatingAdmissionPolicy name}/{key}".
  16	//
  17	// If an admission webhook uses the same resource name as this
  18	// ValidatingAdmissionPolicy and the same audit annotation key,
  19	// the annotation key will be identical. In this case, the first
  20	// annotation written with the key will be included in the audit
  21	// event and all subsequent annotations with the same key will be
  22	// discarded.
  23	//
  24	// Required.
  25	"key"!: string
  26
  27	// valueExpression represents the expression which is evaluated by
  28	// CEL to produce an audit annotation value. The expression must
  29	// evaluate to either a string or null value. If the expression
  30	// evaluates to a string, the audit annotation is included with
  31	// the string value. If the expression evaluates to null or empty
  32	// string the audit annotation will be omitted. The
  33	// valueExpression may be no longer than 5kb in length. If the
  34	// result of the valueExpression is more than 10kb in length, it
  35	// will be truncated to 10kb.
  36	//
  37	// If multiple ValidatingAdmissionPolicyBinding resources match an
  38	// API request, then the valueExpression will be evaluated for
  39	// each binding. All unique values produced by the
  40	// valueExpressions will be joined together in a comma-separated
  41	// list.
  42	//
  43	// Required.
  44	"valueExpression"!: string
  45}
  46
  47// ExpressionWarning is a warning information that targets a
  48// specific expression.
  49#ExpressionWarning: {
  50	// The path to the field that refers the expression. For example,
  51	// the reference to the expression of the first item of
  52	// validations is "spec.validations[0].expression"
  53	"fieldRef"!: string
  54
  55	// The content of type checking information in a human-readable
  56	// form. Each line of the warning contains the type that the
  57	// expression is checked against, followed by the type check
  58	// error from the compiler.
  59	"warning"!: string
  60}
  61
  62// MatchCondition represents a condition which must by fulfilled
  63// for a request to be sent to a webhook.
  64#MatchCondition: {
  65	// Expression represents the expression which will be evaluated by
  66	// CEL. Must evaluate to bool. CEL expressions have access to the
  67	// contents of the AdmissionRequest and Authorizer, organized
  68	// into CEL variables:
  69	//
  70	// 'object' - The object from the incoming request. The value is
  71	// null for DELETE requests. 'oldObject' - The existing object.
  72	// The value is null for CREATE requests. 'request' - Attributes
  73	// of the admission
  74	// request(/pkg/apis/admission/types.go#AdmissionRequest).
  75	// 'authorizer' - A CEL Authorizer. May be used to perform
  76	// authorization checks for the principal (user or service
  77	// account) of the request.
  78	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
  79	// 'authorizer.requestResource' - A CEL ResourceCheck constructed
  80	// from the 'authorizer' and configured with the
  81	// request resource.
  82	// Documentation on CEL:
  83	// https://kubernetes.io/docs/reference/using-api/cel/
  84	//
  85	// Required.
  86	"expression"!: string
  87
  88	// Name is an identifier for this match condition, used for
  89	// strategic merging of MatchConditions, as well as providing an
  90	// identifier for logging purposes. A good name should be
  91	// descriptive of the associated expression. Name must be a
  92	// qualified name consisting of alphanumeric characters, '-', '_'
  93	// or '.', and must start and end with an alphanumeric character
  94	// (e.g. 'MyName', or 'my.name', or '123-abc', regex used for
  95	// validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with
  96	// an optional DNS subdomain prefix and '/' (e.g.
  97	// 'example.com/MyName')
  98	//
  99	// Required.
 100	"name"!: string
 101}
 102
 103// MatchResources decides whether to run the admission control
 104// policy on an object based on whether it meets the match
 105// criteria. The exclude rules take precedence over include rules
 106// (if a resource matches both, it is excluded)
 107#MatchResources: {
 108	// ExcludeResourceRules describes what operations on what
 109	// resources/subresources the ValidatingAdmissionPolicy should
 110	// not care about. The exclude rules take precedence over include
 111	// rules (if a resource matches both, it is excluded)
 112	"excludeResourceRules"?: [...#NamedRuleWithOperations]
 113
 114	// matchPolicy defines how the "MatchResources" list is used to
 115	// match incoming requests. Allowed values are "Exact" or
 116	// "Equivalent".
 117	//
 118	// - Exact: match a request only if it exactly matches a specified
 119	// rule. For example, if deployments can be modified via apps/v1,
 120	// apps/v1beta1, and extensions/v1beta1, but "rules" only
 121	// included `apiGroups:["apps"], apiVersions:["v1"], resources:
 122	// ["deployments"]`, a request to apps/v1beta1 or
 123	// extensions/v1beta1 would not be sent to the
 124	// ValidatingAdmissionPolicy.
 125	//
 126	// - Equivalent: match a request if modifies a resource listed in
 127	// rules, even via another API group or version. For example, if
 128	// deployments can be modified via apps/v1, apps/v1beta1, and
 129	// extensions/v1beta1, and "rules" only included
 130	// `apiGroups:["apps"], apiVersions:["v1"], resources:
 131	// ["deployments"]`, a request to apps/v1beta1 or
 132	// extensions/v1beta1 would be converted to apps/v1 and sent to
 133	// the ValidatingAdmissionPolicy.
 134	//
 135	// Defaults to "Equivalent"
 136	"matchPolicy"?: string
 137
 138	// NamespaceSelector decides whether to run the admission control
 139	// policy on an object based on whether the namespace for that
 140	// object matches the selector. If the object itself is a
 141	// namespace, the matching is performed on
 142	// object.metadata.labels. If the object is another cluster
 143	// scoped resource, it never skips the policy.
 144	//
 145	// For example, to run the webhook on any objects whose namespace
 146	// is not associated with "runlevel" of "0" or "1"; you will set
 147	// the selector as follows: "namespaceSelector": {
 148	// "matchExpressions": [
 149	// {
 150	// "key": "runlevel",
 151	// "operator": "NotIn",
 152	// "values": [
 153	// "0",
 154	// "1"
 155	// ]
 156	// }
 157	// ]
 158	// }
 159	//
 160	// If instead you want to only run the policy on any objects whose
 161	// namespace is associated with the "environment" of "prod" or
 162	// "staging"; you will set the selector as follows:
 163	// "namespaceSelector": {
 164	// "matchExpressions": [
 165	// {
 166	// "key": "environment",
 167	// "operator": "In",
 168	// "values": [
 169	// "prod",
 170	// "staging"
 171	// ]
 172	// }
 173	// ]
 174	// }
 175	//
 176	// See
 177	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 178	// for more examples of label selectors.
 179	//
 180	// Default to the empty LabelSelector, which matches everything.
 181	"namespaceSelector"?: v1.#LabelSelector
 182
 183	// ObjectSelector decides whether to run the validation based on
 184	// if the object has matching labels. objectSelector is evaluated
 185	// against both the oldObject and newObject that would be sent to
 186	// the cel validation, and is considered to match if either
 187	// object matches the selector. A null object (oldObject in the
 188	// case of create, or newObject in the case of delete) or an
 189	// object that cannot have labels (like a DeploymentRollback or a
 190	// PodProxyOptions object) is not considered to match. Use the
 191	// object selector only if the webhook is opt-in, because end
 192	// users may skip the admission webhook by setting the labels.
 193	// Default to the empty LabelSelector, which matches everything.
 194	"objectSelector"?: v1.#LabelSelector
 195
 196	// ResourceRules describes what operations on what
 197	// resources/subresources the ValidatingAdmissionPolicy matches.
 198	// The policy cares about an operation if it matches _any_ Rule.
 199	"resourceRules"?: [...#NamedRuleWithOperations]
 200}
 201
 202// MutatingWebhook describes an admission webhook and the
 203// resources and operations it applies to.
 204#MutatingWebhook: {
 205	// AdmissionReviewVersions is an ordered list of preferred
 206	// `AdmissionReview` versions the Webhook expects. API server
 207	// will try to use first version in the list which it supports.
 208	// If none of the versions specified in this list supported by
 209	// API server, validation will fail for this object. If a
 210	// persisted webhook configuration specifies allowed versions and
 211	// does not include any versions known to the API Server, calls
 212	// to the webhook will fail and be subject to the failure policy.
 213	"admissionReviewVersions"!: [...string]
 214
 215	// ClientConfig defines how to communicate with the hook. Required
 216	"clientConfig"!: #WebhookClientConfig
 217
 218	// FailurePolicy defines how unrecognized errors from the
 219	// admission endpoint are handled - allowed values are Ignore or
 220	// Fail. Defaults to Fail.
 221	"failurePolicy"?: string
 222
 223	// MatchConditions is a list of conditions that must be met for a
 224	// request to be sent to this webhook. Match conditions filter
 225	// requests that have already been matched by the rules,
 226	// namespaceSelector, and objectSelector. An empty list of
 227	// matchConditions matches all requests. There are a maximum of
 228	// 64 match conditions allowed.
 229	//
 230	// The exact matching logic is (in order):
 231	// 1. If ANY matchCondition evaluates to FALSE, the webhook is
 232	// skipped.
 233	// 2. If ALL matchConditions evaluate to TRUE, the webhook is
 234	// called.
 235	// 3. If any matchCondition evaluates to an error (but none are
 236	// FALSE):
 237	// - If failurePolicy=Fail, reject the request
 238	// - If failurePolicy=Ignore, the error is ignored and the webhook
 239	// is skipped
 240	"matchConditions"?: [...#MatchCondition]
 241
 242	// matchPolicy defines how the "rules" list is used to match
 243	// incoming requests. Allowed values are "Exact" or "Equivalent".
 244	//
 245	// - Exact: match a request only if it exactly matches a specified
 246	// rule. For example, if deployments can be modified via apps/v1,
 247	// apps/v1beta1, and extensions/v1beta1, but "rules" only
 248	// included `apiGroups:["apps"], apiVersions:["v1"], resources:
 249	// ["deployments"]`, a request to apps/v1beta1 or
 250	// extensions/v1beta1 would not be sent to the webhook.
 251	//
 252	// - Equivalent: match a request if modifies a resource listed in
 253	// rules, even via another API group or version. For example, if
 254	// deployments can be modified via apps/v1, apps/v1beta1, and
 255	// extensions/v1beta1, and "rules" only included
 256	// `apiGroups:["apps"], apiVersions:["v1"], resources:
 257	// ["deployments"]`, a request to apps/v1beta1 or
 258	// extensions/v1beta1 would be converted to apps/v1 and sent to
 259	// the webhook.
 260	//
 261	// Defaults to "Equivalent"
 262	"matchPolicy"?: string
 263
 264	// The name of the admission webhook. Name should be fully
 265	// qualified, e.g., imagepolicy.kubernetes.io, where
 266	// "imagepolicy" is the name of the webhook, and kubernetes.io is
 267	// the name of the organization. Required.
 268	"name"!: string
 269
 270	// NamespaceSelector decides whether to run the webhook on an
 271	// object based on whether the namespace for that object matches
 272	// the selector. If the object itself is a namespace, the
 273	// matching is performed on object.metadata.labels. If the object
 274	// is another cluster scoped resource, it never skips the
 275	// webhook.
 276	//
 277	// For example, to run the webhook on any objects whose namespace
 278	// is not associated with "runlevel" of "0" or "1"; you will set
 279	// the selector as follows: "namespaceSelector": {
 280	// "matchExpressions": [
 281	// {
 282	// "key": "runlevel",
 283	// "operator": "NotIn",
 284	// "values": [
 285	// "0",
 286	// "1"
 287	// ]
 288	// }
 289	// ]
 290	// }
 291	//
 292	// If instead you want to only run the webhook on any objects
 293	// whose namespace is associated with the "environment" of "prod"
 294	// or "staging"; you will set the selector as follows:
 295	// "namespaceSelector": {
 296	// "matchExpressions": [
 297	// {
 298	// "key": "environment",
 299	// "operator": "In",
 300	// "values": [
 301	// "prod",
 302	// "staging"
 303	// ]
 304	// }
 305	// ]
 306	// }
 307	//
 308	// See
 309	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 310	// for more examples of label selectors.
 311	//
 312	// Default to the empty LabelSelector, which matches everything.
 313	"namespaceSelector"?: v1.#LabelSelector
 314
 315	// ObjectSelector decides whether to run the webhook based on if
 316	// the object has matching labels. objectSelector is evaluated
 317	// against both the oldObject and newObject that would be sent to
 318	// the webhook, and is considered to match if either object
 319	// matches the selector. A null object (oldObject in the case of
 320	// create, or newObject in the case of delete) or an object that
 321	// cannot have labels (like a DeploymentRollback or a
 322	// PodProxyOptions object) is not considered to match. Use the
 323	// object selector only if the webhook is opt-in, because end
 324	// users may skip the admission webhook by setting the labels.
 325	// Default to the empty LabelSelector, which matches everything.
 326	"objectSelector"?: v1.#LabelSelector
 327
 328	// reinvocationPolicy indicates whether this webhook should be
 329	// called multiple times as part of a single admission
 330	// evaluation. Allowed values are "Never" and "IfNeeded".
 331	//
 332	// Never: the webhook will not be called more than once in a
 333	// single admission evaluation.
 334	//
 335	// IfNeeded: the webhook will be called at least one additional
 336	// time as part of the admission evaluation if the object being
 337	// admitted is modified by other admission plugins after the
 338	// initial webhook call. Webhooks that specify this option *must*
 339	// be idempotent, able to process objects they previously
 340	// admitted. Note: * the number of additional invocations is not
 341	// guaranteed to be exactly one. * if additional invocations
 342	// result in further modifications to the object, webhooks are
 343	// not guaranteed to be invoked again. * webhooks that use this
 344	// option may be reordered to minimize the number of additional
 345	// invocations. * to validate an object after all mutations are
 346	// guaranteed complete, use a validating admission webhook
 347	// instead.
 348	//
 349	// Defaults to "Never".
 350	"reinvocationPolicy"?: string
 351
 352	// Rules describes what operations on what resources/subresources
 353	// the webhook cares about. The webhook cares about an operation
 354	// if it matches _any_ Rule. However, in order to prevent
 355	// ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from
 356	// putting the cluster in a state which cannot be recovered from
 357	// without completely disabling the plugin,
 358	// ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are
 359	// never called on admission requests for
 360	// ValidatingWebhookConfiguration and
 361	// MutatingWebhookConfiguration objects.
 362	"rules"?: [...#RuleWithOperations]
 363
 364	// SideEffects states whether this webhook has side effects.
 365	// Acceptable values are: None, NoneOnDryRun (webhooks created
 366	// via v1beta1 may also specify Some or Unknown). Webhooks with
 367	// side effects MUST implement a reconciliation system, since a
 368	// request may be rejected by a future step in the admission
 369	// chain and the side effects therefore need to be undone.
 370	// Requests with the dryRun attribute will be auto-rejected if
 371	// they match a webhook with sideEffects == Unknown or Some.
 372	"sideEffects"!: string
 373
 374	// TimeoutSeconds specifies the timeout for this webhook. After
 375	// the timeout passes, the webhook call will be ignored or the
 376	// API call will fail based on the failure policy. The timeout
 377	// value must be between 1 and 30 seconds. Default to 10 seconds.
 378	"timeoutSeconds"?: int32 & int
 379}
 380
 381// MutatingWebhookConfiguration describes the configuration of and
 382// admission webhook that accept or reject and may change the
 383// object.
 384#MutatingWebhookConfiguration: {
 385	// APIVersion defines the versioned schema of this representation
 386	// of an object. Servers should convert recognized schemas to the
 387	// latest internal value, and may reject unrecognized values.
 388	// More info:
 389	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 390	"apiVersion": "admissionregistration.k8s.io/v1"
 391
 392	// Kind is a string value representing the REST resource this
 393	// object represents. Servers may infer this from the endpoint
 394	// the client submits requests to. Cannot be updated. In
 395	// CamelCase. More info:
 396	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 397	"kind": "MutatingWebhookConfiguration"
 398
 399	// Standard object metadata; More info:
 400	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 401	"metadata"?: v1.#ObjectMeta
 402
 403	// Webhooks is a list of webhooks and the affected resources and
 404	// operations.
 405	"webhooks"?: [...#MutatingWebhook]
 406}
 407
 408// MutatingWebhookConfigurationList is a list of
 409// MutatingWebhookConfiguration.
 410#MutatingWebhookConfigurationList: {
 411	// APIVersion defines the versioned schema of this representation
 412	// of an object. Servers should convert recognized schemas to the
 413	// latest internal value, and may reject unrecognized values.
 414	// More info:
 415	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 416	"apiVersion": "admissionregistration.k8s.io/v1"
 417
 418	// List of MutatingWebhookConfiguration.
 419	"items"!: [...#MutatingWebhookConfiguration]
 420
 421	// Kind is a string value representing the REST resource this
 422	// object represents. Servers may infer this from the endpoint
 423	// the client submits requests to. Cannot be updated. In
 424	// CamelCase. More info:
 425	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 426	"kind": "MutatingWebhookConfigurationList"
 427
 428	// Standard list metadata. More info:
 429	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 430	"metadata"?: v1.#ListMeta
 431}
 432
 433// NamedRuleWithOperations is a tuple of Operations and Resources
 434// with ResourceNames.
 435#NamedRuleWithOperations: {
 436	// APIGroups is the API groups the resources belong to. '*' is all
 437	// groups. If '*' is present, the length of the slice must be
 438	// one. Required.
 439	"apiGroups"?: [...string]
 440
 441	// APIVersions is the API versions the resources belong to. '*' is
 442	// all versions. If '*' is present, the length of the slice must
 443	// be one. Required.
 444	"apiVersions"?: [...string]
 445
 446	// Operations is the operations the admission hook cares about -
 447	// CREATE, UPDATE, DELETE, CONNECT or * for all of those
 448	// operations and any future admission operations that are added.
 449	// If '*' is present, the length of the slice must be one.
 450	// Required.
 451	"operations"?: [...string]
 452
 453	// ResourceNames is an optional white list of names that the rule
 454	// applies to. An empty set means that everything is allowed.
 455	"resourceNames"?: [...string]
 456
 457	// Resources is a list of resources this rule applies to.
 458	//
 459	// For example: 'pods' means pods. 'pods/log' means the log
 460	// subresource of pods. '*' means all resources, but not
 461	// subresources. 'pods/*' means all subresources of pods.
 462	// '*/scale' means all scale subresources. '*/*' means all
 463	// resources and their subresources.
 464	//
 465	// If wildcard is present, the validation rule will ensure
 466	// resources do not overlap with each other.
 467	//
 468	// Depending on the enclosing object, subresources might not be
 469	// allowed. Required.
 470	"resources"?: [...string]
 471
 472	// scope specifies the scope of this rule. Valid values are
 473	// "Cluster", "Namespaced", and "*" "Cluster" means that only
 474	// cluster-scoped resources will match this rule. Namespace API
 475	// objects are cluster-scoped. "Namespaced" means that only
 476	// namespaced resources will match this rule. "*" means that
 477	// there are no scope restrictions. Subresources match the scope
 478	// of their parent resource. Default is "*".
 479	"scope"?: string
 480}
 481
 482// ParamKind is a tuple of Group Kind and Version.
 483#ParamKind: {
 484	// APIVersion is the API group version the resources belong to. In
 485	// format of "group/version". Required.
 486	"apiVersion"?: string
 487
 488	// Kind is the API kind the resources belong to. Required.
 489	"kind"?: string
 490}
 491
 492// ParamRef describes how to locate the params to be used as input
 493// to expressions of rules applied by a policy binding.
 494#ParamRef: {
 495	// name is the name of the resource being referenced.
 496	//
 497	// One of `name` or `selector` must be set, but `name` and
 498	// `selector` are mutually exclusive properties. If one is set,
 499	// the other must be unset.
 500	//
 501	// A single parameter used for all admission requests can be
 502	// configured by setting the `name` field, leaving `selector`
 503	// blank, and setting namespace if `paramKind` is
 504	// namespace-scoped.
 505	"name"?: string
 506
 507	// namespace is the namespace of the referenced resource. Allows
 508	// limiting the search for params to a specific namespace.
 509	// Applies to both `name` and `selector` fields.
 510	//
 511	// A per-namespace parameter may be used by specifying a
 512	// namespace-scoped `paramKind` in the policy and leaving this
 513	// field empty.
 514	//
 515	// - If `paramKind` is cluster-scoped, this field MUST be unset.
 516	// Setting this field results in a configuration error.
 517	//
 518	// - If `paramKind` is namespace-scoped, the namespace of the
 519	// object being evaluated for admission will be used when this
 520	// field is left unset. Take care that if this is left empty the
 521	// binding must not match any cluster-scoped resources, which
 522	// will result in an error.
 523	"namespace"?: string
 524
 525	// `parameterNotFoundAction` controls the behavior of the binding
 526	// when the resource exists, and name or selector is valid, but
 527	// there are no parameters matched by the binding. If the value
 528	// is set to `Allow`, then no matched parameters will be treated
 529	// as successful validation by the binding. If set to `Deny`,
 530	// then no matched parameters will be subject to the
 531	// `failurePolicy` of the policy.
 532	//
 533	// Allowed values are `Allow` or `Deny`
 534	//
 535	// Required
 536	"parameterNotFoundAction"?: string
 537
 538	// selector can be used to match multiple param objects based on
 539	// their labels. Supply selector: {} to match all resources of
 540	// the ParamKind.
 541	//
 542	// If multiple params are found, they are all evaluated with the
 543	// policy expressions and the results are ANDed together.
 544	//
 545	// One of `name` or `selector` must be set, but `name` and
 546	// `selector` are mutually exclusive properties. If one is set,
 547	// the other must be unset.
 548	"selector"?: v1.#LabelSelector
 549}
 550
 551// RuleWithOperations is a tuple of Operations and Resources. It
 552// is recommended to make sure that all the tuple expansions are
 553// valid.
 554#RuleWithOperations: {
 555	// APIGroups is the API groups the resources belong to. '*' is all
 556	// groups. If '*' is present, the length of the slice must be
 557	// one. Required.
 558	"apiGroups"?: [...string]
 559
 560	// APIVersions is the API versions the resources belong to. '*' is
 561	// all versions. If '*' is present, the length of the slice must
 562	// be one. Required.
 563	"apiVersions"?: [...string]
 564
 565	// Operations is the operations the admission hook cares about -
 566	// CREATE, UPDATE, DELETE, CONNECT or * for all of those
 567	// operations and any future admission operations that are added.
 568	// If '*' is present, the length of the slice must be one.
 569	// Required.
 570	"operations"?: [...string]
 571
 572	// Resources is a list of resources this rule applies to.
 573	//
 574	// For example: 'pods' means pods. 'pods/log' means the log
 575	// subresource of pods. '*' means all resources, but not
 576	// subresources. 'pods/*' means all subresources of pods.
 577	// '*/scale' means all scale subresources. '*/*' means all
 578	// resources and their subresources.
 579	//
 580	// If wildcard is present, the validation rule will ensure
 581	// resources do not overlap with each other.
 582	//
 583	// Depending on the enclosing object, subresources might not be
 584	// allowed. Required.
 585	"resources"?: [...string]
 586
 587	// scope specifies the scope of this rule. Valid values are
 588	// "Cluster", "Namespaced", and "*" "Cluster" means that only
 589	// cluster-scoped resources will match this rule. Namespace API
 590	// objects are cluster-scoped. "Namespaced" means that only
 591	// namespaced resources will match this rule. "*" means that
 592	// there are no scope restrictions. Subresources match the scope
 593	// of their parent resource. Default is "*".
 594	"scope"?: string
 595}
 596
 597// ServiceReference holds a reference to Service.legacy.k8s.io
 598#ServiceReference: {
 599	// `name` is the name of the service. Required
 600	"name"!: string
 601
 602	// `namespace` is the namespace of the service. Required
 603	"namespace"!: string
 604
 605	// `path` is an optional URL path which will be sent in any
 606	// request to this service.
 607	"path"?: string
 608
 609	// If specified, the port on the service that hosting webhook.
 610	// Default to 443 for backward compatibility. `port` should be a
 611	// valid port number (1-65535, inclusive).
 612	"port"?: int32 & int
 613}
 614
 615// TypeChecking contains results of type checking the expressions
 616// in the ValidatingAdmissionPolicy
 617#TypeChecking: {
 618	// The type checking warnings for each expression.
 619	"expressionWarnings"?: [...#ExpressionWarning]
 620}
 621
 622// ValidatingAdmissionPolicy describes the definition of an
 623// admission validation policy that accepts or rejects an object
 624// without changing it.
 625#ValidatingAdmissionPolicy: {
 626	// APIVersion defines the versioned schema of this representation
 627	// of an object. Servers should convert recognized schemas to the
 628	// latest internal value, and may reject unrecognized values.
 629	// More info:
 630	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 631	"apiVersion": "admissionregistration.k8s.io/v1"
 632
 633	// Kind is a string value representing the REST resource this
 634	// object represents. Servers may infer this from the endpoint
 635	// the client submits requests to. Cannot be updated. In
 636	// CamelCase. More info:
 637	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 638	"kind": "ValidatingAdmissionPolicy"
 639
 640	// Standard object metadata; More info:
 641	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 642	"metadata"?: v1.#ObjectMeta
 643
 644	// Specification of the desired behavior of the
 645	// ValidatingAdmissionPolicy.
 646	"spec"?: #ValidatingAdmissionPolicySpec
 647
 648	// The status of the ValidatingAdmissionPolicy, including warnings
 649	// that are useful to determine if the policy behaves in the
 650	// expected way. Populated by the system. Read-only.
 651	"status"?: #ValidatingAdmissionPolicyStatus
 652}
 653
 654// ValidatingAdmissionPolicyBinding binds the
 655// ValidatingAdmissionPolicy with paramerized resources.
 656// ValidatingAdmissionPolicyBinding and parameter CRDs together
 657// define how cluster administrators configure policies for
 658// clusters.
 659//
 660// For a given admission request, each binding will cause its
 661// policy to be evaluated N times, where N is 1 for
 662// policies/bindings that don't use params, otherwise N is the
 663// number of parameters selected by the binding.
 664//
 665// The CEL expressions of a policy must have a computed CEL cost
 666// below the maximum CEL budget. Each evaluation of the policy is
 667// given an independent CEL cost budget. Adding/removing
 668// policies, bindings, or params can not affect whether a given
 669// (policy, binding, param) combination is within its own CEL
 670// budget.
 671#ValidatingAdmissionPolicyBinding: {
 672	// APIVersion defines the versioned schema of this representation
 673	// of an object. Servers should convert recognized schemas to the
 674	// latest internal value, and may reject unrecognized values.
 675	// More info:
 676	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 677	"apiVersion": "admissionregistration.k8s.io/v1"
 678
 679	// Kind is a string value representing the REST resource this
 680	// object represents. Servers may infer this from the endpoint
 681	// the client submits requests to. Cannot be updated. In
 682	// CamelCase. More info:
 683	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 684	"kind": "ValidatingAdmissionPolicyBinding"
 685
 686	// Standard object metadata; More info:
 687	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
 688	"metadata"?: v1.#ObjectMeta
 689
 690	// Specification of the desired behavior of the
 691	// ValidatingAdmissionPolicyBinding.
 692	"spec"?: #ValidatingAdmissionPolicyBindingSpec
 693}
 694
 695// ValidatingAdmissionPolicyBindingList is a list of
 696// ValidatingAdmissionPolicyBinding.
 697#ValidatingAdmissionPolicyBindingList: {
 698	// APIVersion defines the versioned schema of this representation
 699	// of an object. Servers should convert recognized schemas to the
 700	// latest internal value, and may reject unrecognized values.
 701	// More info:
 702	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 703	"apiVersion": "admissionregistration.k8s.io/v1"
 704
 705	// List of PolicyBinding.
 706	"items"!: [...#ValidatingAdmissionPolicyBinding]
 707
 708	// Kind is a string value representing the REST resource this
 709	// object represents. Servers may infer this from the endpoint
 710	// the client submits requests to. Cannot be updated. In
 711	// CamelCase. More info:
 712	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 713	"kind": "ValidatingAdmissionPolicyBindingList"
 714
 715	// Standard list metadata. More info:
 716	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 717	"metadata"?: v1.#ListMeta
 718}
 719
 720// ValidatingAdmissionPolicyBindingSpec is the specification of
 721// the ValidatingAdmissionPolicyBinding.
 722#ValidatingAdmissionPolicyBindingSpec: {
 723	// MatchResources declares what resources match this binding and
 724	// will be validated by it. Note that this is intersected with
 725	// the policy's matchConstraints, so only requests that are
 726	// matched by the policy can be selected by this. If this is
 727	// unset, all resources matched by the policy are validated by
 728	// this binding When resourceRules is unset, it does not
 729	// constrain resource matching. If a resource is matched by the
 730	// other fields of this object, it will be validated. Note that
 731	// this is differs from ValidatingAdmissionPolicy
 732	// matchConstraints, where resourceRules are required.
 733	"matchResources"?: #MatchResources
 734
 735	// paramRef specifies the parameter resource used to configure the
 736	// admission control policy. It should point to a resource of the
 737	// type specified in ParamKind of the bound
 738	// ValidatingAdmissionPolicy. If the policy specifies a ParamKind
 739	// and the resource referred to by ParamRef does not exist, this
 740	// binding is considered mis-configured and the FailurePolicy of
 741	// the ValidatingAdmissionPolicy applied. If the policy does not
 742	// specify a ParamKind then this field is ignored, and the rules
 743	// are evaluated without a param.
 744	"paramRef"?: #ParamRef
 745
 746	// PolicyName references a ValidatingAdmissionPolicy name which
 747	// the ValidatingAdmissionPolicyBinding binds to. If the
 748	// referenced resource does not exist, this binding is considered
 749	// invalid and will be ignored Required.
 750	"policyName"?: string
 751
 752	// validationActions declares how Validations of the referenced
 753	// ValidatingAdmissionPolicy are enforced. If a validation
 754	// evaluates to false it is always enforced according to these
 755	// actions.
 756	//
 757	// Failures defined by the ValidatingAdmissionPolicy's
 758	// FailurePolicy are enforced according to these actions only if
 759	// the FailurePolicy is set to Fail, otherwise the failures are
 760	// ignored. This includes compilation errors, runtime errors and
 761	// misconfigurations of the policy.
 762	//
 763	// validationActions is declared as a set of action values. Order
 764	// does not matter. validationActions may not contain duplicates
 765	// of the same action.
 766	//
 767	// The supported actions values are:
 768	//
 769	// "Deny" specifies that a validation failure results in a denied
 770	// request.
 771	//
 772	// "Warn" specifies that a validation failure is reported to the
 773	// request client in HTTP Warning headers, with a warning code of
 774	// 299. Warnings can be sent both for allowed or denied admission
 775	// responses.
 776	//
 777	// "Audit" specifies that a validation failure is included in the
 778	// published audit event for the request. The audit event will
 779	// contain a
 780	// `validation.policy.admission.k8s.io/validation_failure` audit
 781	// annotation with a value containing the details of the
 782	// validation failures, formatted as a JSON list of objects, each
 783	// with the following fields: - message: The validation failure
 784	// message string - policy: The resource name of the
 785	// ValidatingAdmissionPolicy - binding: The resource name of the
 786	// ValidatingAdmissionPolicyBinding - expressionIndex: The index
 787	// of the failed validations in the ValidatingAdmissionPolicy -
 788	// validationActions: The enforcement actions enacted for the
 789	// validation failure Example audit annotation:
 790	// `"validation.policy.admission.k8s.io/validation_failure":
 791	// "[{\"message\": \"Invalid value\", {\"policy\":
 792	// \"policy.example.com\", {\"binding\":
 793	// \"policybinding.example.com\", {\"expressionIndex\": \"1\",
 794	// {\"validationActions\": [\"Audit\"]}]"`
 795	//
 796	// Clients should expect to handle additional values by ignoring
 797	// any values not recognized.
 798	//
 799	// "Deny" and "Warn" may not be used together since this
 800	// combination needlessly duplicates the validation failure both
 801	// in the API response body and the HTTP warning headers.
 802	//
 803	// Required.
 804	"validationActions"?: [...string]
 805}
 806
 807// ValidatingAdmissionPolicyList is a list of
 808// ValidatingAdmissionPolicy.
 809#ValidatingAdmissionPolicyList: {
 810	// APIVersion defines the versioned schema of this representation
 811	// of an object. Servers should convert recognized schemas to the
 812	// latest internal value, and may reject unrecognized values.
 813	// More info:
 814	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 815	"apiVersion": "admissionregistration.k8s.io/v1"
 816
 817	// List of ValidatingAdmissionPolicy.
 818	"items"!: [...#ValidatingAdmissionPolicy]
 819
 820	// Kind is a string value representing the REST resource this
 821	// object represents. Servers may infer this from the endpoint
 822	// the client submits requests to. Cannot be updated. In
 823	// CamelCase. More info:
 824	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 825	"kind": "ValidatingAdmissionPolicyList"
 826
 827	// Standard list metadata. More info:
 828	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 829	"metadata"?: v1.#ListMeta
 830}
 831
 832// ValidatingAdmissionPolicySpec is the specification of the
 833// desired behavior of the AdmissionPolicy.
 834#ValidatingAdmissionPolicySpec: {
 835	// auditAnnotations contains CEL expressions which are used to
 836	// produce audit annotations for the audit event of the API
 837	// request. validations and auditAnnotations may not both be
 838	// empty; a least one of validations or auditAnnotations is
 839	// required.
 840	"auditAnnotations"?: [...#AuditAnnotation]
 841
 842	// failurePolicy defines how to handle failures for the admission
 843	// policy. Failures can occur from CEL expression parse errors,
 844	// type check errors, runtime errors and invalid or
 845	// mis-configured policy definitions or bindings.
 846	//
 847	// A policy is invalid if spec.paramKind refers to a non-existent
 848	// Kind. A binding is invalid if spec.paramRef.name refers to a
 849	// non-existent resource.
 850	//
 851	// failurePolicy does not define how validations that evaluate to
 852	// false are handled.
 853	//
 854	// When failurePolicy is set to Fail,
 855	// ValidatingAdmissionPolicyBinding validationActions define how
 856	// failures are enforced.
 857	//
 858	// Allowed values are Ignore or Fail. Defaults to Fail.
 859	"failurePolicy"?: string
 860
 861	// MatchConditions is a list of conditions that must be met for a
 862	// request to be validated. Match conditions filter requests that
 863	// have already been matched by the rules, namespaceSelector, and
 864	// objectSelector. An empty list of matchConditions matches all
 865	// requests. There are a maximum of 64 match conditions allowed.
 866	//
 867	// If a parameter object is provided, it can be accessed via the
 868	// `params` handle in the same manner as validation expressions.
 869	//
 870	// The exact matching logic is (in order):
 871	// 1. If ANY matchCondition evaluates to FALSE, the policy is
 872	// skipped.
 873	// 2. If ALL matchConditions evaluate to TRUE, the policy is
 874	// evaluated.
 875	// 3. If any matchCondition evaluates to an error (but none are
 876	// FALSE):
 877	// - If failurePolicy=Fail, reject the request
 878	// - If failurePolicy=Ignore, the policy is skipped
 879	"matchConditions"?: [...#MatchCondition]
 880
 881	// MatchConstraints specifies what resources this policy is
 882	// designed to validate. The AdmissionPolicy cares about a
 883	// request if it matches _all_ Constraints. However, in order to
 884	// prevent clusters from being put into an unstable state that
 885	// cannot be recovered from via the API ValidatingAdmissionPolicy
 886	// cannot match ValidatingAdmissionPolicy and
 887	// ValidatingAdmissionPolicyBinding. Required.
 888	"matchConstraints"?: #MatchResources
 889
 890	// ParamKind specifies the kind of resources used to parameterize
 891	// this policy. If absent, there are no parameters for this
 892	// policy and the param CEL variable will not be provided to
 893	// validation expressions. If ParamKind refers to a non-existent
 894	// kind, this policy definition is mis-configured and the
 895	// FailurePolicy is applied. If paramKind is specified but
 896	// paramRef is unset in ValidatingAdmissionPolicyBinding, the
 897	// params variable will be null.
 898	"paramKind"?: #ParamKind
 899
 900	// Validations contain CEL expressions which is used to apply the
 901	// validation. Validations and AuditAnnotations may not both be
 902	// empty; a minimum of one Validations or AuditAnnotations is
 903	// required.
 904	"validations"?: [...#Validation]
 905
 906	// Variables contain definitions of variables that can be used in
 907	// composition of other expressions. Each variable is defined as
 908	// a named CEL expression. The variables defined here will be
 909	// available under `variables` in other expressions of the policy
 910	// except MatchConditions because MatchConditions are evaluated
 911	// before the rest of the policy.
 912	//
 913	// The expression of a variable can refer to other variables
 914	// defined earlier in the list but not those after. Thus,
 915	// Variables must be sorted by the order of first appearance and
 916	// acyclic.
 917	"variables"?: [...#Variable]
 918}
 919
 920// ValidatingAdmissionPolicyStatus represents the status of an
 921// admission validation policy.
 922#ValidatingAdmissionPolicyStatus: {
 923	// The conditions represent the latest available observations of a
 924	// policy's current state.
 925	"conditions"?: [...v1.#Condition]
 926
 927	// The generation observed by the controller.
 928	"observedGeneration"?: int64 & int
 929
 930	// The results of type checking for each expression. Presence of
 931	// this field indicates the completion of the type checking.
 932	"typeChecking"?: #TypeChecking
 933}
 934
 935// ValidatingWebhook describes an admission webhook and the
 936// resources and operations it applies to.
 937#ValidatingWebhook: {
 938	// AdmissionReviewVersions is an ordered list of preferred
 939	// `AdmissionReview` versions the Webhook expects. API server
 940	// will try to use first version in the list which it supports.
 941	// If none of the versions specified in this list supported by
 942	// API server, validation will fail for this object. If a
 943	// persisted webhook configuration specifies allowed versions and
 944	// does not include any versions known to the API Server, calls
 945	// to the webhook will fail and be subject to the failure policy.
 946	"admissionReviewVersions"!: [...string]
 947
 948	// ClientConfig defines how to communicate with the hook. Required
 949	"clientConfig"!: #WebhookClientConfig
 950
 951	// FailurePolicy defines how unrecognized errors from the
 952	// admission endpoint are handled - allowed values are Ignore or
 953	// Fail. Defaults to Fail.
 954	"failurePolicy"?: string
 955
 956	// MatchConditions is a list of conditions that must be met for a
 957	// request to be sent to this webhook. Match conditions filter
 958	// requests that have already been matched by the rules,
 959	// namespaceSelector, and objectSelector. An empty list of
 960	// matchConditions matches all requests. There are a maximum of
 961	// 64 match conditions allowed.
 962	//
 963	// The exact matching logic is (in order):
 964	// 1. If ANY matchCondition evaluates to FALSE, the webhook is
 965	// skipped.
 966	// 2. If ALL matchConditions evaluate to TRUE, the webhook is
 967	// called.
 968	// 3. If any matchCondition evaluates to an error (but none are
 969	// FALSE):
 970	// - If failurePolicy=Fail, reject the request
 971	// - If failurePolicy=Ignore, the error is ignored and the webhook
 972	// is skipped
 973	"matchConditions"?: [...#MatchCondition]
 974
 975	// matchPolicy defines how the "rules" list is used to match
 976	// incoming requests. Allowed values are "Exact" or "Equivalent".
 977	//
 978	// - Exact: match a request only if it exactly matches a specified
 979	// rule. For example, if deployments can be modified via apps/v1,
 980	// apps/v1beta1, and extensions/v1beta1, but "rules" only
 981	// included `apiGroups:["apps"], apiVersions:["v1"], resources:
 982	// ["deployments"]`, a request to apps/v1beta1 or
 983	// extensions/v1beta1 would not be sent to the webhook.
 984	//
 985	// - Equivalent: match a request if modifies a resource listed in
 986	// rules, even via another API group or version. For example, if
 987	// deployments can be modified via apps/v1, apps/v1beta1, and
 988	// extensions/v1beta1, and "rules" only included
 989	// `apiGroups:["apps"], apiVersions:["v1"], resources:
 990	// ["deployments"]`, a request to apps/v1beta1 or
 991	// extensions/v1beta1 would be converted to apps/v1 and sent to
 992	// the webhook.
 993	//
 994	// Defaults to "Equivalent"
 995	"matchPolicy"?: string
 996
 997	// The name of the admission webhook. Name should be fully
 998	// qualified, e.g., imagepolicy.kubernetes.io, where
 999	// "imagepolicy" is the name of the webhook, and kubernetes.io is
1000	// the name of the organization. Required.
1001	"name"!: string
1002
1003	// NamespaceSelector decides whether to run the webhook on an
1004	// object based on whether the namespace for that object matches
1005	// the selector. If the object itself is a namespace, the
1006	// matching is performed on object.metadata.labels. If the object
1007	// is another cluster scoped resource, it never skips the
1008	// webhook.
1009	//
1010	// For example, to run the webhook on any objects whose namespace
1011	// is not associated with "runlevel" of "0" or "1"; you will set
1012	// the selector as follows: "namespaceSelector": {
1013	// "matchExpressions": [
1014	// {
1015	// "key": "runlevel",
1016	// "operator": "NotIn",
1017	// "values": [
1018	// "0",
1019	// "1"
1020	// ]
1021	// }
1022	// ]
1023	// }
1024	//
1025	// If instead you want to only run the webhook on any objects
1026	// whose namespace is associated with the "environment" of "prod"
1027	// or "staging"; you will set the selector as follows:
1028	// "namespaceSelector": {
1029	// "matchExpressions": [
1030	// {
1031	// "key": "environment",
1032	// "operator": "In",
1033	// "values": [
1034	// "prod",
1035	// "staging"
1036	// ]
1037	// }
1038	// ]
1039	// }
1040	//
1041	// See
1042	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
1043	// for more examples of label selectors.
1044	//
1045	// Default to the empty LabelSelector, which matches everything.
1046	"namespaceSelector"?: v1.#LabelSelector
1047
1048	// ObjectSelector decides whether to run the webhook based on if
1049	// the object has matching labels. objectSelector is evaluated
1050	// against both the oldObject and newObject that would be sent to
1051	// the webhook, and is considered to match if either object
1052	// matches the selector. A null object (oldObject in the case of
1053	// create, or newObject in the case of delete) or an object that
1054	// cannot have labels (like a DeploymentRollback or a
1055	// PodProxyOptions object) is not considered to match. Use the
1056	// object selector only if the webhook is opt-in, because end
1057	// users may skip the admission webhook by setting the labels.
1058	// Default to the empty LabelSelector, which matches everything.
1059	"objectSelector"?: v1.#LabelSelector
1060
1061	// Rules describes what operations on what resources/subresources
1062	// the webhook cares about. The webhook cares about an operation
1063	// if it matches _any_ Rule. However, in order to prevent
1064	// ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from
1065	// putting the cluster in a state which cannot be recovered from
1066	// without completely disabling the plugin,
1067	// ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are
1068	// never called on admission requests for
1069	// ValidatingWebhookConfiguration and
1070	// MutatingWebhookConfiguration objects.
1071	"rules"?: [...#RuleWithOperations]
1072
1073	// SideEffects states whether this webhook has side effects.
1074	// Acceptable values are: None, NoneOnDryRun (webhooks created
1075	// via v1beta1 may also specify Some or Unknown). Webhooks with
1076	// side effects MUST implement a reconciliation system, since a
1077	// request may be rejected by a future step in the admission
1078	// chain and the side effects therefore need to be undone.
1079	// Requests with the dryRun attribute will be auto-rejected if
1080	// they match a webhook with sideEffects == Unknown or Some.
1081	"sideEffects"!: string
1082
1083	// TimeoutSeconds specifies the timeout for this webhook. After
1084	// the timeout passes, the webhook call will be ignored or the
1085	// API call will fail based on the failure policy. The timeout
1086	// value must be between 1 and 30 seconds. Default to 10 seconds.
1087	"timeoutSeconds"?: int32 & int
1088}
1089
1090// ValidatingWebhookConfiguration describes the configuration of
1091// and admission webhook that accept or reject and object without
1092// changing it.
1093#ValidatingWebhookConfiguration: {
1094	// APIVersion defines the versioned schema of this representation
1095	// of an object. Servers should convert recognized schemas to the
1096	// latest internal value, and may reject unrecognized values.
1097	// More info:
1098	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
1099	"apiVersion": "admissionregistration.k8s.io/v1"
1100
1101	// Kind is a string value representing the REST resource this
1102	// object represents. Servers may infer this from the endpoint
1103	// the client submits requests to. Cannot be updated. In
1104	// CamelCase. More info:
1105	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
1106	"kind": "ValidatingWebhookConfiguration"
1107
1108	// Standard object metadata; More info:
1109	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
1110	"metadata"?: v1.#ObjectMeta
1111
1112	// Webhooks is a list of webhooks and the affected resources and
1113	// operations.
1114	"webhooks"?: [...#ValidatingWebhook]
1115}
1116
1117// ValidatingWebhookConfigurationList is a list of
1118// ValidatingWebhookConfiguration.
1119#ValidatingWebhookConfigurationList: {
1120	// APIVersion defines the versioned schema of this representation
1121	// of an object. Servers should convert recognized schemas to the
1122	// latest internal value, and may reject unrecognized values.
1123	// More info:
1124	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
1125	"apiVersion": "admissionregistration.k8s.io/v1"
1126
1127	// List of ValidatingWebhookConfiguration.
1128	"items"!: [...#ValidatingWebhookConfiguration]
1129
1130	// Kind is a string value representing the REST resource this
1131	// object represents. Servers may infer this from the endpoint
1132	// the client submits requests to. Cannot be updated. In
1133	// CamelCase. More info:
1134	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
1135	"kind": "ValidatingWebhookConfigurationList"
1136
1137	// Standard list metadata. More info:
1138	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
1139	"metadata"?: v1.#ListMeta
1140}
1141
1142// Validation specifies the CEL expression which is used to apply
1143// the validation.
1144#Validation: {
1145	// Expression represents the expression which will be evaluated by
1146	// CEL. ref: https://github.com/google/cel-spec CEL expressions
1147	// have access to the contents of the API request/response,
1148	// organized into CEL variables as well as some other useful
1149	// variables:
1150	//
1151	// - 'object' - The object from the incoming request. The value is
1152	// null for DELETE requests. - 'oldObject' - The existing object.
1153	// The value is null for CREATE requests. - 'request' -
1154	// Attributes of the API
1155	// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
1156	// - 'params' - Parameter resource referred to by the policy
1157	// binding being evaluated. Only populated if the policy has a
1158	// ParamKind. - 'namespaceObject' - The namespace object that the
1159	// incoming object belongs to. The value is null for
1160	// cluster-scoped resources. - 'variables' - Map of composited
1161	// variables, from its name to its lazily evaluated value.
1162	// For example, a variable named 'foo' can be accessed as
1163	// 'variables.foo'.
1164	// - 'authorizer' - A CEL Authorizer. May be used to perform
1165	// authorization checks for the principal (user or service
1166	// account) of the request.
1167	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
1168	// - 'authorizer.requestResource' - A CEL ResourceCheck
1169	// constructed from the 'authorizer' and configured with the
1170	// request resource.
1171	//
1172	// The `apiVersion`, `kind`, `metadata.name` and
1173	// `metadata.generateName` are always accessible from the root of
1174	// the object. No other metadata properties are accessible.
1175	//
1176	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
1177	// are accessible. Accessible property names are escaped
1178	// according to the following rules when accessed in the
1179	// expression: - '__' escapes to '__underscores__' - '.' escapes
1180	// to '__dot__' - '-' escapes to '__dash__' - '/' escapes to
1181	// '__slash__' - Property names that exactly match a CEL RESERVED
1182	// keyword escape to '__{keyword}__'. The keywords are:
1183	// "true", "false", "null", "in", "as", "break", "const",
1184	// "continue", "else", "for", "function", "if",
1185	// "import", "let", "loop", "package", "namespace", "return".
1186	// Examples:
1187	// - Expression accessing a property named "namespace":
1188	// {"Expression": "object.__namespace__ > 0"}
1189	// - Expression accessing a property named "x-prop":
1190	// {"Expression": "object.x__dash__prop > 0"}
1191	// - Expression accessing a property named "redact__d":
1192	// {"Expression": "object.redact__underscores__d > 0"}
1193	//
1194	// Equality on arrays with list type of 'set' or 'map' ignores
1195	// element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays
1196	// with x-kubernetes-list-type use the semantics of the list
1197	// type:
1198	// - 'set': `X + Y` performs a union where the array positions of
1199	// all elements in `X` are preserved and
1200	// non-intersecting elements in `Y` are appended, retaining their
1201	// partial order.
1202	// - 'map': `X + Y` performs a merge where the array positions of
1203	// all keys in `X` are preserved but the values
1204	// are overwritten by values in `Y` when the key sets of `X` and
1205	// `Y` intersect. Elements in `Y` with
1206	// non-intersecting keys are appended, retaining their partial
1207	// order.
1208	// Required.
1209	"expression"!: string
1210
1211	// Message represents the message displayed when validation fails.
1212	// The message is required if the Expression contains line
1213	// breaks. The message must not contain line breaks. If unset,
1214	// the message is "failed rule: {Rule}". e.g. "must be a URL with
1215	// the host matching spec.host" If the Expression contains line
1216	// breaks. Message is required. The message must not contain line
1217	// breaks. If unset, the message is "failed Expression:
1218	// {Expression}".
1219	"message"?: string
1220
1221	// messageExpression declares a CEL expression that evaluates to
1222	// the validation failure message that is returned when this rule
1223	// fails. Since messageExpression is used as a failure message,
1224	// it must evaluate to a string. If both message and
1225	// messageExpression are present on a validation, then
1226	// messageExpression will be used if validation fails. If
1227	// messageExpression results in a runtime error, the runtime
1228	// error is logged, and the validation failure message is
1229	// produced as if the messageExpression field were unset. If
1230	// messageExpression evaluates to an empty string, a string with
1231	// only spaces, or a string that contains line breaks, then the
1232	// validation failure message will also be produced as if the
1233	// messageExpression field were unset, and the fact that
1234	// messageExpression produced an empty string/string with only
1235	// spaces/string with line breaks will be logged.
1236	// messageExpression has access to all the same variables as the
1237	// `expression` except for 'authorizer' and
1238	// 'authorizer.requestResource'. Example: "object.x must be less
1239	// than max ("+string(params.max)+")"
1240	"messageExpression"?: string
1241
1242	// Reason represents a machine-readable description of why this
1243	// validation failed. If this is the first validation in the list
1244	// to fail, this reason, as well as the corresponding HTTP
1245	// response code, are used in the HTTP response to the client.
1246	// The currently supported reasons are: "Unauthorized",
1247	// "Forbidden", "Invalid", "RequestEntityTooLarge". If not set,
1248	// StatusReasonInvalid is used in the response to the client.
1249	"reason"?: string
1250}
1251
1252// Variable is the definition of a variable that is used for
1253// composition. A variable is defined as a named expression.
1254#Variable: {
1255	// Expression is the expression that will be evaluated as the
1256	// value of the variable. The CEL expression has access to the
1257	// same identifiers as the CEL expressions in Validation.
1258	"expression"!: string
1259
1260	// Name is the name of the variable. The name must be a valid CEL
1261	// identifier and unique among all variables. The variable can be
1262	// accessed in other expressions through `variables` For example,
1263	// if name is "foo", the variable will be available as
1264	// `variables.foo`
1265	"name"!: string
1266}
1267
1268// WebhookClientConfig contains the information to make a TLS
1269// connection with the webhook
1270#WebhookClientConfig: {
1271	// `caBundle` is a PEM encoded CA bundle which will be used to
1272	// validate the webhook's server certificate. If unspecified,
1273	// system trust roots on the apiserver are used.
1274	"caBundle"?: string
1275
1276	// `service` is a reference to the service for this webhook.
1277	// Either `service` or `url` must be specified.
1278	//
1279	// If the webhook is running within the cluster, then you should
1280	// use `service`.
1281	"service"?: #ServiceReference
1282
1283	// `url` gives the location of the webhook, in standard URL form
1284	// (`scheme://host:port/path`). Exactly one of `url` or `service`
1285	// must be specified.
1286	//
1287	// The `host` should not refer to a service running in the
1288	// cluster; use the `service` field instead. The host might be
1289	// resolved via external DNS in some apiservers (e.g.,
1290	// `kube-apiserver` cannot resolve in-cluster DNS as that would
1291	// be a layering violation). `host` may also be an IP address.
1292	//
1293	// Please note that using `localhost` or `127.0.0.1` as a `host`
1294	// is risky unless you take great care to run this webhook on all
1295	// hosts which run an apiserver which might need to make calls to
1296	// this webhook. Such installs are likely to be non-portable,
1297	// i.e., not easy to turn up in a new cluster.
1298	//
1299	// The scheme must be "https"; the URL must begin with "https://".
1300	//
1301	// A path is optional, and if present may be any string
1302	// permissible in a URL. You may use the path to pass an
1303	// arbitrary string to the webhook, for example, a cluster
1304	// identifier.
1305	//
1306	// Attempting to use a user or basic auth e.g. "user:password@" is
1307	// not allowed. Fragments ("#...") and query parameters ("?...")
1308	// are not allowed, either.
1309	"url"?: string
1310}