CUE Central Registry

cue.dev/x/k8s.io@v0.7.0

api/admissionregistration/v1beta1/schema.cue raw

  1package v1beta1
  2
  3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  4
  5// ApplyConfiguration defines the desired configuration values of
  6// an object.
  7#ApplyConfiguration: {
  8	// expression will be evaluated by CEL to create an apply
  9	// configuration. ref: https://github.com/google/cel-spec
 10	//
 11	// Apply configurations are declared in CEL using object
 12	// initialization. For example, this CEL expression returns an
 13	// apply configuration to set a single field:
 14	//
 15	// Object{
 16	// spec: Object.spec{
 17	// serviceAccountName: "example"
 18	// }
 19	// }
 20	//
 21	// Apply configurations may not modify atomic structs, maps or
 22	// arrays due to the risk of accidental deletion of values not
 23	// included in the apply configuration.
 24	//
 25	// CEL expressions have access to the object types needed to
 26	// create apply configurations:
 27	//
 28	// - 'Object' - CEL type of the resource object. -
 29	// 'Object.<fieldName>' - CEL type of object field (such as
 30	// 'Object.spec') -
 31	// 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type
 32	// of nested field (such as 'Object.spec.containers')
 33	//
 34	// CEL expressions have access to the contents of the API request,
 35	// organized into CEL variables as well as some other useful
 36	// variables:
 37	//
 38	// - 'object' - The object from the incoming request. The value is
 39	// null for DELETE requests. - 'oldObject' - The existing object.
 40	// The value is null for CREATE requests. - 'request' -
 41	// Attributes of the API
 42	// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
 43	// - 'params' - Parameter resource referred to by the policy
 44	// binding being evaluated. Only populated if the policy has a
 45	// ParamKind. - 'namespaceObject' - The namespace object that the
 46	// incoming object belongs to. The value is null for
 47	// cluster-scoped resources. - 'variables' - Map of composited
 48	// variables, from its name to its lazily evaluated value.
 49	// For example, a variable named 'foo' can be accessed as
 50	// 'variables.foo'.
 51	// - 'authorizer' - A CEL Authorizer. May be used to perform
 52	// authorization checks for the principal (user or service
 53	// account) of the request.
 54	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
 55	// - 'authorizer.requestResource' - A CEL ResourceCheck
 56	// constructed from the 'authorizer' and configured with the
 57	// request resource.
 58	//
 59	// The `apiVersion`, `kind`, `metadata.name` and
 60	// `metadata.generateName` are always accessible from the root of
 61	// the object. No other metadata properties are accessible.
 62	//
 63	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
 64	// are accessible. Required.
 65	"expression"?: string
 66}
 67
 68// JSONPatch defines a JSON Patch.
 69#JSONPatch: {
 70	// expression will be evaluated by CEL to create a [JSON
 71	// patch](https://jsonpatch.com/). ref:
 72	// https://github.com/google/cel-spec
 73	//
 74	// expression must return an array of JSONPatch values.
 75	//
 76	// For example, this CEL expression returns a JSON patch to
 77	// conditionally modify a value:
 78	//
 79	// [
 80	// JSONPatch{op: "test", path: "/spec/example", value: "Red"},
 81	// JSONPatch{op: "replace", path: "/spec/example", value: "Green"}
 82	// ]
 83	//
 84	// To define an object for the patch value, use Object types. For
 85	// example:
 86	//
 87	// [
 88	// JSONPatch{
 89	// op: "add",
 90	// path: "/spec/selector",
 91	// value: Object.spec.selector{matchLabels: {"environment":
 92	// "test"}}
 93	// }
 94	// ]
 95	//
 96	// To use strings containing '/' and '~' as JSONPatch path keys,
 97	// use "jsonpatch.escapeKey". For example:
 98	//
 99	// [
100	// JSONPatch{
101	// op: "add",
102	// path: "/metadata/labels/" +
103	// jsonpatch.escapeKey("example.com/environment"),
104	// value: "test"
105	// },
106	// ]
107	//
108	// CEL expressions have access to the types needed to create JSON
109	// patches and objects:
110	//
111	// - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch
112	// has the fields 'op', 'from', 'path' and 'value'.
113	// See [JSON patch](https://jsonpatch.com/) for more details. The
114	// 'value' field may be set to any of: string,
115	// integer, array, map or object. If set, the 'path' and 'from'
116	// fields must be set to a
117	// [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/)
118	// string, where the 'jsonpatch.escapeKey()' CEL
119	// function may be used to escape path keys containing '/' and
120	// '~'.
121	// - 'Object' - CEL type of the resource object. -
122	// 'Object.<fieldName>' - CEL type of object field (such as
123	// 'Object.spec') -
124	// 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type
125	// of nested field (such as 'Object.spec.containers')
126	//
127	// CEL expressions have access to the contents of the API request,
128	// organized into CEL variables as well as some other useful
129	// variables:
130	//
131	// - 'object' - The object from the incoming request. The value is
132	// null for DELETE requests. - 'oldObject' - The existing object.
133	// The value is null for CREATE requests. - 'request' -
134	// Attributes of the API
135	// request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
136	// - 'params' - Parameter resource referred to by the policy
137	// binding being evaluated. Only populated if the policy has a
138	// ParamKind. - 'namespaceObject' - The namespace object that the
139	// incoming object belongs to. The value is null for
140	// cluster-scoped resources. - 'variables' - Map of composited
141	// variables, from its name to its lazily evaluated value.
142	// For example, a variable named 'foo' can be accessed as
143	// 'variables.foo'.
144	// - 'authorizer' - A CEL Authorizer. May be used to perform
145	// authorization checks for the principal (user or service
146	// account) of the request.
147	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
148	// - 'authorizer.requestResource' - A CEL ResourceCheck
149	// constructed from the 'authorizer' and configured with the
150	// request resource.
151	//
152	// CEL expressions have access to [Kubernetes CEL function
153	// libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries)
154	// as well as:
155	//
156	// - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~'
157	// and '/' are escaped as '~0' and `~1' respectively).
158	//
159	// Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
160	// are accessible. Required.
161	"expression"?: string
162}
163
164// MatchCondition represents a condition which must be fulfilled
165// for a request to be sent to a webhook.
166#MatchCondition: {
167	// Expression represents the expression which will be evaluated by
168	// CEL. Must evaluate to bool. CEL expressions have access to the
169	// contents of the AdmissionRequest and Authorizer, organized
170	// into CEL variables:
171	//
172	// 'object' - The object from the incoming request. The value is
173	// null for DELETE requests. 'oldObject' - The existing object.
174	// The value is null for CREATE requests. 'request' - Attributes
175	// of the admission
176	// request(/pkg/apis/admission/types.go#AdmissionRequest).
177	// 'authorizer' - A CEL Authorizer. May be used to perform
178	// authorization checks for the principal (user or service
179	// account) of the request.
180	// See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
181	// 'authorizer.requestResource' - A CEL ResourceCheck constructed
182	// from the 'authorizer' and configured with the
183	// request resource.
184	// Documentation on CEL:
185	// https://kubernetes.io/docs/reference/using-api/cel/
186	//
187	// Required.
188	"expression"!: string
189
190	// Name is an identifier for this match condition, used for
191	// strategic merging of MatchConditions, as well as providing an
192	// identifier for logging purposes. A good name should be
193	// descriptive of the associated expression. Name must be a
194	// qualified name consisting of alphanumeric characters, '-', '_'
195	// or '.', and must start and end with an alphanumeric character
196	// (e.g. 'MyName', or 'my.name', or '123-abc', regex used for
197	// validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with
198	// an optional DNS subdomain prefix and '/' (e.g.
199	// 'example.com/MyName')
200	//
201	// Required.
202	"name"!: string
203}
204
205// MatchResources decides whether to run the admission control
206// policy on an object based on whether it meets the match
207// criteria. The exclude rules take precedence over include rules
208// (if a resource matches both, it is excluded)
209#MatchResources: {
210	// ExcludeResourceRules describes what operations on what
211	// resources/subresources the ValidatingAdmissionPolicy should
212	// not care about. The exclude rules take precedence over include
213	// rules (if a resource matches both, it is excluded)
214	"excludeResourceRules"?: [...#NamedRuleWithOperations]
215
216	// matchPolicy defines how the "MatchResources" list is used to
217	// match incoming requests. Allowed values are "Exact" or
218	// "Equivalent".
219	//
220	// - Exact: match a request only if it exactly matches a specified
221	// rule. For example, if deployments can be modified via apps/v1,
222	// apps/v1beta1, and extensions/v1beta1, but "rules" only
223	// included `apiGroups:["apps"], apiVersions:["v1"], resources:
224	// ["deployments"]`, a request to apps/v1beta1 or
225	// extensions/v1beta1 would not be sent to the
226	// ValidatingAdmissionPolicy.
227	//
228	// - Equivalent: match a request if modifies a resource listed in
229	// rules, even via another API group or version. For example, if
230	// deployments can be modified via apps/v1, apps/v1beta1, and
231	// extensions/v1beta1, and "rules" only included
232	// `apiGroups:["apps"], apiVersions:["v1"], resources:
233	// ["deployments"]`, a request to apps/v1beta1 or
234	// extensions/v1beta1 would be converted to apps/v1 and sent to
235	// the ValidatingAdmissionPolicy.
236	//
237	// Defaults to "Equivalent"
238	"matchPolicy"?: string
239
240	// NamespaceSelector decides whether to run the admission control
241	// policy on an object based on whether the namespace for that
242	// object matches the selector. If the object itself is a
243	// namespace, the matching is performed on
244	// object.metadata.labels. If the object is another cluster
245	// scoped resource, it never skips the policy.
246	//
247	// For example, to run the webhook on any objects whose namespace
248	// is not associated with "runlevel" of "0" or "1"; you will set
249	// the selector as follows: "namespaceSelector": {
250	// "matchExpressions": [
251	// {
252	// "key": "runlevel",
253	// "operator": "NotIn",
254	// "values": [
255	// "0",
256	// "1"
257	// ]
258	// }
259	// ]
260	// }
261	//
262	// If instead you want to only run the policy on any objects whose
263	// namespace is associated with the "environment" of "prod" or
264	// "staging"; you will set the selector as follows:
265	// "namespaceSelector": {
266	// "matchExpressions": [
267	// {
268	// "key": "environment",
269	// "operator": "In",
270	// "values": [
271	// "prod",
272	// "staging"
273	// ]
274	// }
275	// ]
276	// }
277	//
278	// See
279	// https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
280	// for more examples of label selectors.
281	//
282	// Default to the empty LabelSelector, which matches everything.
283	"namespaceSelector"?: v1.#LabelSelector
284
285	// ObjectSelector decides whether to run the validation based on
286	// if the object has matching labels. objectSelector is evaluated
287	// against both the oldObject and newObject that would be sent to
288	// the cel validation, and is considered to match if either
289	// object matches the selector. A null object (oldObject in the
290	// case of create, or newObject in the case of delete) or an
291	// object that cannot have labels (like a DeploymentRollback or a
292	// PodProxyOptions object) is not considered to match. Use the
293	// object selector only if the webhook is opt-in, because end
294	// users may skip the admission webhook by setting the labels.
295	// Default to the empty LabelSelector, which matches everything.
296	"objectSelector"?: v1.#LabelSelector
297
298	// ResourceRules describes what operations on what
299	// resources/subresources the ValidatingAdmissionPolicy matches.
300	// The policy cares about an operation if it matches _any_ Rule.
301	"resourceRules"?: [...#NamedRuleWithOperations]
302}
303
304// MutatingAdmissionPolicy describes the definition of an
305// admission mutation policy that mutates the object coming into
306// admission chain.
307#MutatingAdmissionPolicy: {
308	// APIVersion defines the versioned schema of this representation
309	// of an object. Servers should convert recognized schemas to the
310	// latest internal value, and may reject unrecognized values.
311	// More info:
312	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
313	"apiVersion": "admissionregistration.k8s.io/v1beta1"
314
315	// Kind is a string value representing the REST resource this
316	// object represents. Servers may infer this from the endpoint
317	// the client submits requests to. Cannot be updated. In
318	// CamelCase. More info:
319	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
320	"kind": "MutatingAdmissionPolicy"
321
322	// Standard object metadata; More info:
323	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
324	"metadata"?: v1.#ObjectMeta
325
326	// Specification of the desired behavior of the
327	// MutatingAdmissionPolicy.
328	"spec"?: #MutatingAdmissionPolicySpec
329}
330
331// MutatingAdmissionPolicyBinding binds the
332// MutatingAdmissionPolicy with parametrized resources.
333// MutatingAdmissionPolicyBinding and the optional parameter
334// resource together define how cluster administrators configure
335// policies for clusters.
336//
337// For a given admission request, each binding will cause its
338// policy to be evaluated N times, where N is 1 for
339// policies/bindings that don't use params, otherwise N is the
340// number of parameters selected by the binding. Each evaluation
341// is constrained by a [runtime cost
342// budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).
343//
344// Adding/removing policies, bindings, or params can not affect
345// whether a given (policy, binding, param) combination is within
346// its own CEL budget.
347#MutatingAdmissionPolicyBinding: {
348	// APIVersion defines the versioned schema of this representation
349	// of an object. Servers should convert recognized schemas to the
350	// latest internal value, and may reject unrecognized values.
351	// More info:
352	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
353	"apiVersion": "admissionregistration.k8s.io/v1beta1"
354
355	// Kind is a string value representing the REST resource this
356	// object represents. Servers may infer this from the endpoint
357	// the client submits requests to. Cannot be updated. In
358	// CamelCase. More info:
359	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
360	"kind": "MutatingAdmissionPolicyBinding"
361
362	// Standard object metadata; More info:
363	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
364	"metadata"?: v1.#ObjectMeta
365
366	// Specification of the desired behavior of the
367	// MutatingAdmissionPolicyBinding.
368	"spec"?: #MutatingAdmissionPolicyBindingSpec
369}
370
371// MutatingAdmissionPolicyBindingList is a list of
372// MutatingAdmissionPolicyBinding.
373#MutatingAdmissionPolicyBindingList: {
374	// APIVersion defines the versioned schema of this representation
375	// of an object. Servers should convert recognized schemas to the
376	// latest internal value, and may reject unrecognized values.
377	// More info:
378	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
379	"apiVersion": "admissionregistration.k8s.io/v1beta1"
380
381	// List of PolicyBinding.
382	"items"!: [...#MutatingAdmissionPolicyBinding]
383
384	// Kind is a string value representing the REST resource this
385	// object represents. Servers may infer this from the endpoint
386	// the client submits requests to. Cannot be updated. In
387	// CamelCase. More info:
388	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
389	"kind": "MutatingAdmissionPolicyBindingList"
390
391	// Standard list metadata. More info:
392	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
393	"metadata"?: v1.#ListMeta
394}
395
396// MutatingAdmissionPolicyBindingSpec is the specification of the
397// MutatingAdmissionPolicyBinding.
398#MutatingAdmissionPolicyBindingSpec: {
399	// matchResources limits what resources match this binding and may
400	// be mutated by it. Note that if matchResources matches a
401	// resource, the resource must also match a policy's
402	// matchConstraints and matchConditions before the resource may
403	// be mutated. When matchResources is unset, it does not
404	// constrain resource matching, and only the policy's
405	// matchConstraints and matchConditions must match for the
406	// resource to be mutated. Additionally,
407	// matchResources.resourceRules are optional and do not
408	// constraint matching when unset. Note that this is differs from
409	// MutatingAdmissionPolicy matchConstraints, where resourceRules
410	// are required. The CREATE, UPDATE and CONNECT operations are
411	// allowed. The DELETE operation may not be matched. '*' matches
412	// CREATE, UPDATE and CONNECT.
413	"matchResources"?: #MatchResources
414
415	// paramRef specifies the parameter resource used to configure the
416	// admission control policy. It should point to a resource of the
417	// type specified in spec.ParamKind of the bound
418	// MutatingAdmissionPolicy. If the policy specifies a ParamKind
419	// and the resource referred to by ParamRef does not exist, this
420	// binding is considered mis-configured and the FailurePolicy of
421	// the MutatingAdmissionPolicy applied. If the policy does not
422	// specify a ParamKind then this field is ignored, and the rules
423	// are evaluated without a param.
424	"paramRef"?: #ParamRef
425
426	// policyName references a MutatingAdmissionPolicy name which the
427	// MutatingAdmissionPolicyBinding binds to. If the referenced
428	// resource does not exist, this binding is considered invalid
429	// and will be ignored Required.
430	"policyName"?: string
431}
432
433// MutatingAdmissionPolicyList is a list of
434// MutatingAdmissionPolicy.
435#MutatingAdmissionPolicyList: {
436	// APIVersion defines the versioned schema of this representation
437	// of an object. Servers should convert recognized schemas to the
438	// latest internal value, and may reject unrecognized values.
439	// More info:
440	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
441	"apiVersion": "admissionregistration.k8s.io/v1beta1"
442
443	// List of ValidatingAdmissionPolicy.
444	"items"!: [...#MutatingAdmissionPolicy]
445
446	// Kind is a string value representing the REST resource this
447	// object represents. Servers may infer this from the endpoint
448	// the client submits requests to. Cannot be updated. In
449	// CamelCase. More info:
450	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
451	"kind": "MutatingAdmissionPolicyList"
452
453	// Standard list metadata. More info:
454	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
455	"metadata"?: v1.#ListMeta
456}
457
458// MutatingAdmissionPolicySpec is the specification of the desired
459// behavior of the admission policy.
460#MutatingAdmissionPolicySpec: {
461	// failurePolicy defines how to handle failures for the admission
462	// policy. Failures can occur from CEL expression parse errors,
463	// type check errors, runtime errors and invalid or
464	// mis-configured policy definitions or bindings.
465	//
466	// A policy is invalid if paramKind refers to a non-existent Kind.
467	// A binding is invalid if paramRef.name refers to a non-existent
468	// resource.
469	//
470	// failurePolicy does not define how validations that evaluate to
471	// false are handled.
472	//
473	// Allowed values are Ignore or Fail. Defaults to Fail.
474	"failurePolicy"?: string
475
476	// matchConditions is a list of conditions that must be met for a
477	// request to be validated. Match conditions filter requests that
478	// have already been matched by the matchConstraints. An empty
479	// list of matchConditions matches all requests. There are a
480	// maximum of 64 match conditions allowed.
481	//
482	// If a parameter object is provided, it can be accessed via the
483	// `params` handle in the same manner as validation expressions.
484	//
485	// The exact matching logic is (in order):
486	// 1. If ANY matchCondition evaluates to FALSE, the policy is
487	// skipped.
488	// 2. If ALL matchConditions evaluate to TRUE, the policy is
489	// evaluated.
490	// 3. If any matchCondition evaluates to an error (but none are
491	// FALSE):
492	// - If failurePolicy=Fail, reject the request
493	// - If failurePolicy=Ignore, the policy is skipped
494	"matchConditions"?: [...#MatchCondition]
495
496	// matchConstraints specifies what resources this policy is
497	// designed to validate. The MutatingAdmissionPolicy cares about
498	// a request if it matches _all_ Constraints. However, in order
499	// to prevent clusters from being put into an unstable state that
500	// cannot be recovered from via the API MutatingAdmissionPolicy
501	// cannot match MutatingAdmissionPolicy and
502	// MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT
503	// operations are allowed. The DELETE operation may not be
504	// matched. '*' matches CREATE, UPDATE and CONNECT. Required.
505	"matchConstraints"?: #MatchResources
506
507	// mutations contain operations to perform on matching objects.
508	// mutations may not be empty; a minimum of one mutation is
509	// required. mutations are evaluated in order, and are reinvoked
510	// according to the reinvocationPolicy. The mutations of a policy
511	// are invoked for each binding of this policy and reinvocation
512	// of mutations occurs on a per binding basis.
513	"mutations"?: [...#Mutation]
514
515	// paramKind specifies the kind of resources used to parameterize
516	// this policy. If absent, there are no parameters for this
517	// policy and the param CEL variable will not be provided to
518	// validation expressions. If paramKind refers to a non-existent
519	// kind, this policy definition is mis-configured and the
520	// FailurePolicy is applied. If paramKind is specified but
521	// paramRef is unset in MutatingAdmissionPolicyBinding, the
522	// params variable will be null.
523	"paramKind"?: #ParamKind
524
525	// reinvocationPolicy indicates whether mutations may be called
526	// multiple times per MutatingAdmissionPolicyBinding as part of a
527	// single admission evaluation. Allowed values are "Never" and
528	// "IfNeeded".
529	//
530	// Never: These mutations will not be called more than once per
531	// binding in a single admission evaluation.
532	//
533	// IfNeeded: These mutations may be invoked more than once per
534	// binding for a single admission request and there is no
535	// guarantee of order with respect to other admission plugins,
536	// admission webhooks, bindings of this policy and admission
537	// policies. Mutations are only reinvoked when mutations change
538	// the object after this mutation is invoked. Required.
539	"reinvocationPolicy"?: string
540
541	// variables contain definitions of variables that can be used in
542	// composition of other expressions. Each variable is defined as
543	// a named CEL expression. The variables defined here will be
544	// available under `variables` in other expressions of the policy
545	// except matchConditions because matchConditions are evaluated
546	// before the rest of the policy.
547	//
548	// The expression of a variable can refer to other variables
549	// defined earlier in the list but not those after. Thus,
550	// variables must be sorted by the order of first appearance and
551	// acyclic.
552	"variables"?: [...#Variable]
553}
554
555// Mutation specifies the CEL expression which is used to apply
556// the Mutation.
557#Mutation: {
558	// applyConfiguration defines the desired configuration values of
559	// an object. The configuration is applied to the admission
560	// object using [structured merge
561	// diff](https://github.com/kubernetes-sigs/structured-merge-diff).
562	// A CEL expression is used to create apply configuration.
563	"applyConfiguration"?: #ApplyConfiguration
564
565	// jsonPatch defines a [JSON patch](https://jsonpatch.com/)
566	// operation to perform a mutation to the object. A CEL
567	// expression is used to create the JSON patch.
568	"jsonPatch"?: #JSONPatch
569
570	// patchType indicates the patch strategy used. Allowed values are
571	// "ApplyConfiguration" and "JSONPatch". Required.
572	"patchType"!: string
573}
574
575// NamedRuleWithOperations is a tuple of Operations and Resources
576// with ResourceNames.
577#NamedRuleWithOperations: {
578	// APIGroups is the API groups the resources belong to. '*' is all
579	// groups. If '*' is present, the length of the slice must be
580	// one. Required.
581	"apiGroups"?: [...string]
582
583	// APIVersions is the API versions the resources belong to. '*' is
584	// all versions. If '*' is present, the length of the slice must
585	// be one. Required.
586	"apiVersions"?: [...string]
587
588	// Operations is the operations the admission hook cares about -
589	// CREATE, UPDATE, DELETE, CONNECT or * for all of those
590	// operations and any future admission operations that are added.
591	// If '*' is present, the length of the slice must be one.
592	// Required.
593	"operations"?: [...string]
594
595	// ResourceNames is an optional white list of names that the rule
596	// applies to. An empty set means that everything is allowed.
597	"resourceNames"?: [...string]
598
599	// Resources is a list of resources this rule applies to.
600	//
601	// For example: 'pods' means pods. 'pods/log' means the log
602	// subresource of pods. '*' means all resources, but not
603	// subresources. 'pods/*' means all subresources of pods.
604	// '*/scale' means all scale subresources. '*/*' means all
605	// resources and their subresources.
606	//
607	// If wildcard is present, the validation rule will ensure
608	// resources do not overlap with each other.
609	//
610	// Depending on the enclosing object, subresources might not be
611	// allowed. Required.
612	"resources"?: [...string]
613
614	// scope specifies the scope of this rule. Valid values are
615	// "Cluster", "Namespaced", and "*" "Cluster" means that only
616	// cluster-scoped resources will match this rule. Namespace API
617	// objects are cluster-scoped. "Namespaced" means that only
618	// namespaced resources will match this rule. "*" means that
619	// there are no scope restrictions. Subresources match the scope
620	// of their parent resource. Default is "*".
621	"scope"?: string
622}
623
624// ParamKind is a tuple of Group Kind and Version.
625#ParamKind: {
626	// APIVersion is the API group version the resources belong to. In
627	// format of "group/version". Required.
628	"apiVersion"?: string
629
630	// Kind is the API kind the resources belong to. Required.
631	"kind"?: string
632}
633
634// ParamRef describes how to locate the params to be used as input
635// to expressions of rules applied by a policy binding.
636#ParamRef: {
637	// name is the name of the resource being referenced.
638	//
639	// One of `name` or `selector` must be set, but `name` and
640	// `selector` are mutually exclusive properties. If one is set,
641	// the other must be unset.
642	//
643	// A single parameter used for all admission requests can be
644	// configured by setting the `name` field, leaving `selector`
645	// blank, and setting namespace if `paramKind` is
646	// namespace-scoped.
647	"name"?: string
648
649	// namespace is the namespace of the referenced resource. Allows
650	// limiting the search for params to a specific namespace.
651	// Applies to both `name` and `selector` fields.
652	//
653	// A per-namespace parameter may be used by specifying a
654	// namespace-scoped `paramKind` in the policy and leaving this
655	// field empty.
656	//
657	// - If `paramKind` is cluster-scoped, this field MUST be unset.
658	// Setting this field results in a configuration error.
659	//
660	// - If `paramKind` is namespace-scoped, the namespace of the
661	// object being evaluated for admission will be used when this
662	// field is left unset. Take care that if this is left empty the
663	// binding must not match any cluster-scoped resources, which
664	// will result in an error.
665	"namespace"?: string
666
667	// `parameterNotFoundAction` controls the behavior of the binding
668	// when the resource exists, and name or selector is valid, but
669	// there are no parameters matched by the binding. If the value
670	// is set to `Allow`, then no matched parameters will be treated
671	// as successful validation by the binding. If set to `Deny`,
672	// then no matched parameters will be subject to the
673	// `failurePolicy` of the policy.
674	//
675	// Allowed values are `Allow` or `Deny`
676	//
677	// Required
678	"parameterNotFoundAction"?: string
679
680	// selector can be used to match multiple param objects based on
681	// their labels. Supply selector: {} to match all resources of
682	// the ParamKind.
683	//
684	// If multiple params are found, they are all evaluated with the
685	// policy expressions and the results are ANDed together.
686	//
687	// One of `name` or `selector` must be set, but `name` and
688	// `selector` are mutually exclusive properties. If one is set,
689	// the other must be unset.
690	"selector"?: v1.#LabelSelector
691}
692
693// Variable is the definition of a variable that is used for
694// composition. A variable is defined as a named expression.
695#Variable: {
696	// Expression is the expression that will be evaluated as the
697	// value of the variable. The CEL expression has access to the
698	// same identifiers as the CEL expressions in Validation.
699	"expression"!: string
700
701	// Name is the name of the variable. The name must be a valid CEL
702	// identifier and unique among all variables. The variable can be
703	// accessed in other expressions through `variables` For example,
704	// if name is "foo", the variable will be available as
705	// `variables.foo`
706	"name"!: string
707}