CUE Central Registry

cue.dev/x/k8s.io@v0.7.0

api/admissionregistration/v1alpha1/schema.cue raw

  1package v1alpha1
  2
  3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  4
  5// ApplyConfiguration defines the desired configuration values of
  6// an object.
  7#ApplyConfiguration: {
  8	// expression will be evaluated by CEL to create an apply
  9	// configuration. ref: https://github.com/google/cel-spec
 10	//
 11	// Apply configurations are declared in CEL using object
 12	// initialization. For example, this CEL expression returns an
 13	// apply configuration to set a single field:
 14	//
 15	// Object{
 16	// spec: Object.spec{
 17	// serviceAccountName: "example"
 18	// }
 19	// }
 20	//
 21	// Apply configurations may not modify atomic structs, maps or
 22	// arrays due to the risk of accidental deletion of values not
 23	// included in the apply configuration.
 24	//
 25	// CEL expressions have access to the object types needed to
 26	// create apply configurations:
 27	//
 28	// - 'Object' - CEL type of the resource object. -
 29	// 'Object.<fieldName>' - CEL type of object field (such as
 30	// 'Object.spec') -
 31	// 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type
 32	// of nested field (such as 'Object.spec.containers')
 33	//
 34	// CEL expressions have access to the contents of the API request,
 35	// organized into CEL variables as well as some other useful
 36	// variables:
 37	//
 38	// - 'object' - The object from the incoming request. The value is
 39	// null for DELETE requests. - 'oldObject' - The existing object.
 40	// The value is null for CREATE requests. - 'request' -
 41	// Attributes of the API
 42	// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
 43	// - 'params' - Parameter resource referred to by the policy
 44	// binding being evaluated. Only populated if the policy has a
 45	// ParamKind. - 'namespaceObject' - The namespace object that the
 46	// incoming object belongs to. The value is null for
 47	// cluster-scoped resources. - 'variables' - Map of composited
 48	// variables, from its name to its lazily evaluated value.
 49	// For example, a variable named 'foo' can be accessed as
 50	// 'variables.foo'.
 51	// - 'authorizer' - A CEL Authorizer. May be used to perform
 52	// authorization checks for the principal (user or service
 53	// account) of the request.
 54	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
 55	// - 'authorizer.requestResource' - A CEL ResourceCheck
 56	// constructed from the 'authorizer' and configured with the
 57	// request resource.
 58	//
 59	// The `apiVersion`, `kind`, `metadata.name` and
 60	// `metadata.generateName` are always accessible from the root of
 61	// the object. No other metadata properties are accessible.
 62	//
 63	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
 64	// are accessible. Required.
 65	"expression"?: string
 66}
 67
 68// JSONPatch defines a JSON Patch.
 69#JSONPatch: {
 70	// expression will be evaluated by CEL to create a [JSON
 71	// patch](https://jsonpatch.com/). ref:
 72	// https://github.com/google/cel-spec
 73	//
 74	// expression must return an array of JSONPatch values.
 75	//
 76	// For example, this CEL expression returns a JSON patch to
 77	// conditionally modify a value:
 78	//
 79	// [
 80	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
 81	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
 82	// ]
 83	//
 84	// To define an object for the patch value, use Object types. For
 85	// example:
 86	//
 87	// [
 88	// JSONPatch{
 89	// op: "add",
 90	// path: "/spec/selector",
 91	// value: Object.spec.selector{matchLabels: {"environment":
 92	// "test"}}
 93	// }
 94	// ]
 95	//
 96	// To use strings containing '/' and '~' as JSONPatch path keys,
 97	// use "jsonpatch.escapeKey". For example:
 98	//
 99	// [
100	// JSONPatch{
101	// op: "add",
102	// path: "/metadata/labels/" +
103	// jsonpatch.escapeKey("example.com/environment"),
104	// value: "test"
105	// },
106	// ]
107	//
108	// CEL expressions have access to the types needed to create JSON
109	// patches and objects:
110	//
111	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch
112	// has the fields 'op', 'from', 'path' and 'value'.
113	// See [JSON patch](https://jsonpatch.com/) for more details. The
114	// 'value' field may be set to any of: string,
115	// integer, array, map or object. If set, the 'path' and 'from'
116	// fields must be set to a
117	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/)
118	// string, where the 'jsonpatch.escapeKey()' CEL
119	// function may be used to escape path keys containing '/' and
120	// '~'.
121	// - 'Object' - CEL type of the resource object. -
122	// 'Object.<fieldName>' - CEL type of object field (such as
123	// 'Object.spec') -
124	// 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type
125	// of nested field (such as 'Object.spec.containers')
126	//
127	// CEL expressions have access to the contents of the API request,
128	// organized into CEL variables as well as some other useful
129	// variables:
130	//
131	// - 'object' - The object from the incoming request. The value is
132	// null for DELETE requests. - 'oldObject' - The existing object.
133	// The value is null for CREATE requests. - 'request' -
134	// Attributes of the API
135	// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
136	// - 'params' - Parameter resource referred to by the policy
137	// binding being evaluated. Only populated if the policy has a
138	// ParamKind. - 'namespaceObject' - The namespace object that the
139	// incoming object belongs to. The value is null for
140	// cluster-scoped resources. - 'variables' - Map of composited
141	// variables, from its name to its lazily evaluated value.
142	// For example, a variable named 'foo' can be accessed as
143	// 'variables.foo'.
144	// - 'authorizer' - A CEL Authorizer. May be used to perform
145	// authorization checks for the principal (user or service
146	// account) of the request.
147	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
148	// - 'authorizer.requestResource' - A CEL ResourceCheck
149	// constructed from the 'authorizer' and configured with the
150	// request resource.
151	//
152	// CEL expressions have access to [Kubernetes CEL function
153	// libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
154	// as well as:
155	//
156	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~'
157	// and '/' are escaped as '~0' and `~1' respectively).
158	//
159	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
160	// are accessible. Required.
161	"expression"?: string
162}
163#MatchCondition: {
164	// Expression represents the expression which will be evaluated by
165	// CEL. Must evaluate to bool. CEL expressions have access to the
166	// contents of the AdmissionRequest and Authorizer, organized
167	// into CEL variables:
168	//
169	// 'object' - The object from the incoming request. The value is
170	// null for DELETE requests. 'oldObject' - The existing object.
171	// The value is null for CREATE requests. 'request' - Attributes
172	// of the admission
173	// request(/pkg/apis/admission/types.go#AdmissionRequest).
174	// 'authorizer' - A CEL Authorizer. May be used to perform
175	// authorization checks for the principal (user or service
176	// account) of the request.
177	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
178	// 'authorizer.requestResource' - A CEL ResourceCheck constructed
179	// from the 'authorizer' and configured with the
180	// request resource.
181	// Documentation on CEL:
182	// https://kubernetes.io/docs/reference/using-api/cel/
183	//
184	// Required.
185	"expression"!: string
186
187	// Name is an identifier for this match condition, used for
188	// strategic merging of MatchConditions, as well as providing an
189	// identifier for logging purposes. A good name should be
190	// descriptive of the associated expression. Name must be a
191	// qualified name consisting of alphanumeric characters, '-', '_'
192	// or '.', and must start and end with an alphanumeric character
193	// (e.g. 'MyName', or 'my.name', or '123-abc', regex used for
194	// validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with
195	// an optional DNS subdomain prefix and '/' (e.g.
196	// 'example.com/MyName')
197	//
198	// Required.
199	"name"!: string
200}
201
202// MatchResources decides whether to run the admission control
203// policy on an object based on whether it meets the match
204// criteria. The exclude rules take precedence over include rules
205// (if a resource matches both, it is excluded)
206#MatchResources: {
207	// ExcludeResourceRules describes what operations on what
208	// resources/subresources the policy should not care about. The
209	// exclude rules take precedence over include rules (if a
210	// resource matches both, it is excluded)
211	"excludeResourceRules"?: [...#NamedRuleWithOperations]
212
213	// matchPolicy defines how the "MatchResources" list is used to
214	// match incoming requests. Allowed values are "Exact" or
215	// "Equivalent".
216	//
217	// - Exact: match a request only if it exactly matches a specified
218	// rule. For example, if deployments can be modified via apps/v1,
219	// apps/v1beta1, and extensions/v1beta1, but "rules" only
220	// included `apiGroups:["apps"], apiVersions:["v1"], resources:
221	// ["deployments"]`, the admission policy does not consider
222	// requests to apps/v1beta1 or extensions/v1beta1 API groups.
223	//
224	// - Equivalent: match a request if modifies a resource listed in
225	// rules, even via another API group or version. For example, if
226	// deployments can be modified via apps/v1, apps/v1beta1, and
227	// extensions/v1beta1, and "rules" only included
228	// `apiGroups:["apps"], apiVersions:["v1"], resources:
229	// ["deployments"]`, the admission policy **does** consider
230	// requests made to apps/v1beta1 or extensions/v1beta1 API
231	// groups. The API server translates the request to a matched
232	// resource API if necessary.
233	//
234	// Defaults to "Equivalent"
235	"matchPolicy"?: string
236
237	// NamespaceSelector decides whether to run the admission control
238	// policy on an object based on whether the namespace for that
239	// object matches the selector. If the object itself is a
240	// namespace, the matching is performed on
241	// object.metadata.labels. If the object is another cluster
242	// scoped resource, it never skips the policy.
243	//
244	// For example, to run the webhook on any objects whose namespace
245	// is not associated with "runlevel" of "0" or "1"; you will set
246	// the selector as follows: "namespaceSelector": {
247	// "matchExpressions": [
248	// {
249	// "key": "runlevel",
250	// "operator": "NotIn",
251	// "values": [
252	// "0",
253	// "1"
254	// ]
255	// }
256	// ]
257	// }
258	//
259	// If instead you want to only run the policy on any objects whose
260	// namespace is associated with the "environment" of "prod" or
261	// "staging"; you will set the selector as follows:
262	// "namespaceSelector": {
263	// "matchExpressions": [
264	// {
265	// "key": "environment",
266	// "operator": "In",
267	// "values": [
268	// "prod",
269	// "staging"
270	// ]
271	// }
272	// ]
273	// }
274	//
275	// See
276	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
277	// for more examples of label selectors.
278	//
279	// Default to the empty LabelSelector, which matches everything.
280	"namespaceSelector"?: v1.#LabelSelector
281
282	// ObjectSelector decides whether to run the policy based on if
283	// the object has matching labels. objectSelector is evaluated
284	// against both the oldObject and newObject that would be sent to
285	// the policy's expression (CEL), and is considered to match if
286	// either object matches the selector. A null object (oldObject
287	// in the case of create, or newObject in the case of delete) or
288	// an object that cannot have labels (like a DeploymentRollback
289	// or a PodProxyOptions object) is not considered to match. Use
290	// the object selector only if the webhook is opt-in, because end
291	// users may skip the admission webhook by setting the labels.
292	// Default to the empty LabelSelector, which matches everything.
293	"objectSelector"?: v1.#LabelSelector
294
295	// ResourceRules describes what operations on what
296	// resources/subresources the admission policy matches. The
297	// policy cares about an operation if it matches _any_ Rule.
298	"resourceRules"?: [...#NamedRuleWithOperations]
299}
300
301// MutatingAdmissionPolicy describes the definition of an
302// admission mutation policy that mutates the object coming into
303// admission chain.
304#MutatingAdmissionPolicy: {
305	// APIVersion defines the versioned schema of this representation
306	// of an object. Servers should convert recognized schemas to the
307	// latest internal value, and may reject unrecognized values.
308	// More info:
309	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
310	"apiVersion": "admissionregistration.k8s.io/v1alpha1"
311
312	// Kind is a string value representing the REST resource this
313	// object represents. Servers may infer this from the endpoint
314	// the client submits requests to. Cannot be updated. In
315	// CamelCase. More info:
316	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
317	"kind": "MutatingAdmissionPolicy"
318
319	// Standard object metadata; More info:
320	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
321	"metadata"?: v1.#ObjectMeta
322
323	// Specification of the desired behavior of the
324	// MutatingAdmissionPolicy.
325	"spec"?: #MutatingAdmissionPolicySpec
326}
327
328// MutatingAdmissionPolicyBinding binds the
329// MutatingAdmissionPolicy with parametrized resources.
330// MutatingAdmissionPolicyBinding and the optional parameter
331// resource together define how cluster administrators configure
332// policies for clusters.
333//
334// For a given admission request, each binding will cause its
335// policy to be evaluated N times, where N is 1 for
336// policies/bindings that don't use params, otherwise N is the
337// number of parameters selected by the binding. Each evaluation
338// is constrained by a [runtime cost
339// budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
340//
341// Adding/removing policies, bindings, or params can not affect
342// whether a given (policy, binding, param) combination is within
343// its own CEL budget.
344#MutatingAdmissionPolicyBinding: {
345	// APIVersion defines the versioned schema of this representation
346	// of an object. Servers should convert recognized schemas to the
347	// latest internal value, and may reject unrecognized values.
348	// More info:
349	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
350	"apiVersion": "admissionregistration.k8s.io/v1alpha1"
351
352	// Kind is a string value representing the REST resource this
353	// object represents. Servers may infer this from the endpoint
354	// the client submits requests to. Cannot be updated. In
355	// CamelCase. More info:
356	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
357	"kind": "MutatingAdmissionPolicyBinding"
358
359	// Standard object metadata; More info:
360	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
361	"metadata"?: v1.#ObjectMeta
362
363	// Specification of the desired behavior of the
364	// MutatingAdmissionPolicyBinding.
365	"spec"?: #MutatingAdmissionPolicyBindingSpec
366}
367
368// MutatingAdmissionPolicyBindingList is a list of
369// MutatingAdmissionPolicyBinding.
370#MutatingAdmissionPolicyBindingList: {
371	// APIVersion defines the versioned schema of this representation
372	// of an object. Servers should convert recognized schemas to the
373	// latest internal value, and may reject unrecognized values.
374	// More info:
375	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
376	"apiVersion": "admissionregistration.k8s.io/v1alpha1"
377
378	// List of PolicyBinding.
379	"items"!: [...#MutatingAdmissionPolicyBinding]
380
381	// Kind is a string value representing the REST resource this
382	// object represents. Servers may infer this from the endpoint
383	// the client submits requests to. Cannot be updated. In
384	// CamelCase. More info:
385	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
386	"kind": "MutatingAdmissionPolicyBindingList"
387
388	// Standard list metadata. More info:
389	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
390	"metadata"?: v1.#ListMeta
391}
392
393// MutatingAdmissionPolicyBindingSpec is the specification of the
394// MutatingAdmissionPolicyBinding.
395#MutatingAdmissionPolicyBindingSpec: {
396	// matchResources limits what resources match this binding and may
397	// be mutated by it. Note that if matchResources matches a
398	// resource, the resource must also match a policy's
399	// matchConstraints and matchConditions before the resource may
400	// be mutated. When matchResources is unset, it does not
401	// constrain resource matching, and only the policy's
402	// matchConstraints and matchConditions must match for the
403	// resource to be mutated. Additionally,
404	// matchResources.resourceRules are optional and do not
405	// constraint matching when unset. Note that this is differs from
406	// MutatingAdmissionPolicy matchConstraints, where resourceRules
407	// are required. The CREATE, UPDATE and CONNECT operations are
408	// allowed. The DELETE operation may not be matched. '*' matches
409	// CREATE, UPDATE and CONNECT.
410	"matchResources"?: #MatchResources
411
412	// paramRef specifies the parameter resource used to configure the
413	// admission control policy. It should point to a resource of the
414	// type specified in spec.ParamKind of the bound
415	// MutatingAdmissionPolicy. If the policy specifies a ParamKind
416	// and the resource referred to by ParamRef does not exist, this
417	// binding is considered mis-configured and the FailurePolicy of
418	// the MutatingAdmissionPolicy applied. If the policy does not
419	// specify a ParamKind then this field is ignored, and the rules
420	// are evaluated without a param.
421	"paramRef"?: #ParamRef
422
423	// policyName references a MutatingAdmissionPolicy name which the
424	// MutatingAdmissionPolicyBinding binds to. If the referenced
425	// resource does not exist, this binding is considered invalid
426	// and will be ignored Required.
427	"policyName"?: string
428}
429
430// MutatingAdmissionPolicyList is a list of
431// MutatingAdmissionPolicy.
432#MutatingAdmissionPolicyList: {
433	// APIVersion defines the versioned schema of this representation
434	// of an object. Servers should convert recognized schemas to the
435	// latest internal value, and may reject unrecognized values.
436	// More info:
437	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
438	"apiVersion": "admissionregistration.k8s.io/v1alpha1"
439
440	// List of ValidatingAdmissionPolicy.
441	"items"!: [...#MutatingAdmissionPolicy]
442
443	// Kind is a string value representing the REST resource this
444	// object represents. Servers may infer this from the endpoint
445	// the client submits requests to. Cannot be updated. In
446	// CamelCase. More info:
447	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
448	"kind": "MutatingAdmissionPolicyList"
449
450	// Standard list metadata. More info:
451	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
452	"metadata"?: v1.#ListMeta
453}
454
455// MutatingAdmissionPolicySpec is the specification of the desired
456// behavior of the admission policy.
457#MutatingAdmissionPolicySpec: {
458	// failurePolicy defines how to handle failures for the admission
459	// policy. Failures can occur from CEL expression parse errors,
460	// type check errors, runtime errors and invalid or
461	// mis-configured policy definitions or bindings.
462	//
463	// A policy is invalid if paramKind refers to a non-existent Kind.
464	// A binding is invalid if paramRef.name refers to a non-existent
465	// resource.
466	//
467	// failurePolicy does not define how validations that evaluate to
468	// false are handled.
469	//
470	// Allowed values are Ignore or Fail. Defaults to Fail.
471	"failurePolicy"?: string
472
473	// matchConditions is a list of conditions that must be met for a
474	// request to be validated. Match conditions filter requests that
475	// have already been matched by the matchConstraints. An empty
476	// list of matchConditions matches all requests. There are a
477	// maximum of 64 match conditions allowed.
478	//
479	// If a parameter object is provided, it can be accessed via the
480	// `params` handle in the same manner as validation expressions.
481	//
482	// The exact matching logic is (in order):
483	// 1. If ANY matchCondition evaluates to FALSE, the policy is
484	// skipped.
485	// 2. If ALL matchConditions evaluate to TRUE, the policy is
486	// evaluated.
487	// 3. If any matchCondition evaluates to an error (but none are
488	// FALSE):
489	// - If failurePolicy=Fail, reject the request
490	// - If failurePolicy=Ignore, the policy is skipped
491	"matchConditions"?: [...#MatchCondition]
492
493	// matchConstraints specifies what resources this policy is
494	// designed to validate. The MutatingAdmissionPolicy cares about
495	// a request if it matches _all_ Constraints. However, in order
496	// to prevent clusters from being put into an unstable state that
497	// cannot be recovered from via the API MutatingAdmissionPolicy
498	// cannot match MutatingAdmissionPolicy and
499	// MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT
500	// operations are allowed. The DELETE operation may not be
501	// matched. '*' matches CREATE, UPDATE and CONNECT. Required.
502	"matchConstraints"?: #MatchResources
503
504	// mutations contain operations to perform on matching objects.
505	// mutations may not be empty; a minimum of one mutation is
506	// required. mutations are evaluated in order, and are reinvoked
507	// according to the reinvocationPolicy. The mutations of a policy
508	// are invoked for each binding of this policy and reinvocation
509	// of mutations occurs on a per binding basis.
510	"mutations"?: [...#Mutation]
511
512	// paramKind specifies the kind of resources used to parameterize
513	// this policy. If absent, there are no parameters for this
514	// policy and the param CEL variable will not be provided to
515	// validation expressions. If paramKind refers to a non-existent
516	// kind, this policy definition is mis-configured and the
517	// FailurePolicy is applied. If paramKind is specified but
518	// paramRef is unset in MutatingAdmissionPolicyBinding, the
519	// params variable will be null.
520	"paramKind"?: #ParamKind
521
522	// reinvocationPolicy indicates whether mutations may be called
523	// multiple times per MutatingAdmissionPolicyBinding as part of a
524	// single admission evaluation. Allowed values are "Never" and
525	// "IfNeeded".
526	//
527	// Never: These mutations will not be called more than once per
528	// binding in a single admission evaluation.
529	//
530	// IfNeeded: These mutations may be invoked more than once per
531	// binding for a single admission request and there is no
532	// guarantee of order with respect to other admission plugins,
533	// admission webhooks, bindings of this policy and admission
534	// policies. Mutations are only reinvoked when mutations change
535	// the object after this mutation is invoked. Required.
536	"reinvocationPolicy"?: string
537
538	// variables contain definitions of variables that can be used in
539	// composition of other expressions. Each variable is defined as
540	// a named CEL expression. The variables defined here will be
541	// available under `variables` in other expressions of the policy
542	// except matchConditions because matchConditions are evaluated
543	// before the rest of the policy.
544	//
545	// The expression of a variable can refer to other variables
546	// defined earlier in the list but not those after. Thus,
547	// variables must be sorted by the order of first appearance and
548	// acyclic.
549	"variables"?: [...#Variable]
550}
551
552// Mutation specifies the CEL expression which is used to apply
553// the Mutation.
554#Mutation: {
555	// applyConfiguration defines the desired configuration values of
556	// an object. The configuration is applied to the admission
557	// object using [structured merge
558	// diff](https://github.com/kubernetes-sigs/structured-merge-diff).
559	// A CEL expression is used to create apply configuration.
560	"applyConfiguration"?: #ApplyConfiguration
561
562	// jsonPatch defines a [JSON patch](https://jsonpatch.com/)
563	// operation to perform a mutation to the object. A CEL
564	// expression is used to create the JSON patch.
565	"jsonPatch"?: #JSONPatch
566
567	// patchType indicates the patch strategy used. Allowed values are
568	// "ApplyConfiguration" and "JSONPatch". Required.
569	"patchType"!: string
570}
571
572// NamedRuleWithOperations is a tuple of Operations and Resources
573// with ResourceNames.
574#NamedRuleWithOperations: {
575	// APIGroups is the API groups the resources belong to. '*' is all
576	// groups. If '*' is present, the length of the slice must be
577	// one. Required.
578	"apiGroups"?: [...string]
579
580	// APIVersions is the API versions the resources belong to. '*' is
581	// all versions. If '*' is present, the length of the slice must
582	// be one. Required.
583	"apiVersions"?: [...string]
584
585	// Operations is the operations the admission hook cares about -
586	// CREATE, UPDATE, DELETE, CONNECT or * for all of those
587	// operations and any future admission operations that are added.
588	// If '*' is present, the length of the slice must be one.
589	// Required.
590	"operations"?: [...string]
591
592	// ResourceNames is an optional white list of names that the rule
593	// applies to. An empty set means that everything is allowed.
594	"resourceNames"?: [...string]
595
596	// Resources is a list of resources this rule applies to.
597	//
598	// For example: 'pods' means pods. 'pods/log' means the log
599	// subresource of pods. '*' means all resources, but not
600	// subresources. 'pods/*' means all subresources of pods.
601	// '*/scale' means all scale subresources. '*/*' means all
602	// resources and their subresources.
603	//
604	// If wildcard is present, the validation rule will ensure
605	// resources do not overlap with each other.
606	//
607	// Depending on the enclosing object, subresources might not be
608	// allowed. Required.
609	"resources"?: [...string]
610
611	// scope specifies the scope of this rule. Valid values are
612	// "Cluster", "Namespaced", and "*" "Cluster" means that only
613	// cluster-scoped resources will match this rule. Namespace API
614	// objects are cluster-scoped. "Namespaced" means that only
615	// namespaced resources will match this rule. "*" means that
616	// there are no scope restrictions. Subresources match the scope
617	// of their parent resource. Default is "*".
618	"scope"?: string
619}
620
621// ParamKind is a tuple of Group Kind and Version.
622#ParamKind: {
623	// APIVersion is the API group version the resources belong to. In
624	// format of "group/version". Required.
625	"apiVersion"?: string
626
627	// Kind is the API kind the resources belong to. Required.
628	"kind"?: string
629}
630
631// ParamRef describes how to locate the params to be used as input
632// to expressions of rules applied by a policy binding.
633#ParamRef: {
634	// `name` is the name of the resource being referenced.
635	//
636	// `name` and `selector` are mutually exclusive properties. If one
637	// is set, the other must be unset.
638	"name"?: string
639
640	// namespace is the namespace of the referenced resource. Allows
641	// limiting the search for params to a specific namespace.
642	// Applies to both `name` and `selector` fields.
643	//
644	// A per-namespace parameter may be used by specifying a
645	// namespace-scoped `paramKind` in the policy and leaving this
646	// field empty.
647	//
648	// - If `paramKind` is cluster-scoped, this field MUST be unset.
649	// Setting this field results in a configuration error.
650	//
651	// - If `paramKind` is namespace-scoped, the namespace of the
652	// object being evaluated for admission will be used when this
653	// field is left unset. Take care that if this is left empty the
654	// binding must not match any cluster-scoped resources, which
655	// will result in an error.
656	"namespace"?: string
657
658	// `parameterNotFoundAction` controls the behavior of the binding
659	// when the resource exists, and name or selector is valid, but
660	// there are no parameters matched by the binding. If the value
661	// is set to `Allow`, then no matched parameters will be treated
662	// as successful validation by the binding. If set to `Deny`,
663	// then no matched parameters will be subject to the
664	// `failurePolicy` of the policy.
665	//
666	// Allowed values are `Allow` or `Deny` Default to `Deny`
667	"parameterNotFoundAction"?: string
668
669	// selector can be used to match multiple param objects based on
670	// their labels. Supply selector: {} to match all resources of
671	// the ParamKind.
672	//
673	// If multiple params are found, they are all evaluated with the
674	// policy expressions and the results are ANDed together.
675	//
676	// One of `name` or `selector` must be set, but `name` and
677	// `selector` are mutually exclusive properties. If one is set,
678	// the other must be unset.
679	"selector"?: v1.#LabelSelector
680}
681
682// Variable is the definition of a variable that is used for
683// composition.
684#Variable: {
685	// Expression is the expression that will be evaluated as the
686	// value of the variable. The CEL expression has access to the
687	// same identifiers as the CEL expressions in Validation.
688	"expression"!: string
689
690	// Name is the name of the variable. The name must be a valid CEL
691	// identifier and unique among all variables. The variable can be
692	// accessed in other expressions through `variables` For example,
693	// if name is "foo", the variable will be available as
694	// `variables.foo`
695	"name"!: string
696}