1package v2
2
3import (
4 "time"
5 "strings"
6)
7
8// CleanupPolicy defines a rule for resource cleanup.
9#CleanupPolicy: {
10 _embeddedResource
11
12 // APIVersion defines the versioned schema of this representation
13 // of an object.
14 // Servers should convert recognized schemas to the latest
15 // internal value, and
16 // may reject unrecognized values.
17 // More info:
18 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
19 "apiVersion"?: string
20
21 // Kind is a string value representing the REST resource this
22 // object represents.
23 // Servers may infer this from the endpoint the client submits
24 // requests to.
25 // Cannot be updated.
26 // In CamelCase.
27 // More info:
28 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
29 "kind"?: string
30 "metadata"?: {}
31
32 // Spec declares policy behaviors.
33 "spec"!: {
34 // Conditions defines the conditions used to select the resources
35 // which will be cleaned up.
36 "conditions"?: {
37 // AllConditions enable variable-based conditional rule execution.
38 // This is useful for
39 // finer control of when an rule is applied. A condition can
40 // reference object data
41 // using JMESPath notation.
42 // Here, all of the conditions need to pass.
43 "all"?: [...{
44 // Key is the context entry (using JMESPath) for conditional rule
45 // evaluation.
46 "key"?: null | bool | number | string | [...] | {
47 ...
48 }
49
50 // Message is an optional display message
51 "message"?: string
52
53 // Operator is the conditional operation to perform. Valid
54 // operators are:
55 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
56 // GreaterThanOrEquals,
57 // GreaterThan, LessThanOrEquals, LessThan,
58 // DurationGreaterThanOrEquals, DurationGreaterThan,
59 // DurationLessThanOrEquals, DurationLessThan
60 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
61
62 // Value is the conditional value, or set of values. The values
63 // can be fixed set
64 // or can be variables declared using JMESPath.
65 "value"?: null | bool | number | string | [...] | {
66 ...
67 }
68 }]
69
70 // AnyConditions enable variable-based conditional rule execution.
71 // This is useful for
72 // finer control of when an rule is applied. A condition can
73 // reference object data
74 // using JMESPath notation.
75 // Here, at least one of the conditions need to pass.
76 "any"?: [...{
77 // Key is the context entry (using JMESPath) for conditional rule
78 // evaluation.
79 "key"?: null | bool | number | string | [...] | {
80 ...
81 }
82
83 // Message is an optional display message
84 "message"?: string
85
86 // Operator is the conditional operation to perform. Valid
87 // operators are:
88 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
89 // GreaterThanOrEquals,
90 // GreaterThan, LessThanOrEquals, LessThan,
91 // DurationGreaterThanOrEquals, DurationGreaterThan,
92 // DurationLessThanOrEquals, DurationLessThan
93 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
94
95 // Value is the conditional value, or set of values. The values
96 // can be fixed set
97 // or can be variables declared using JMESPath.
98 "value"?: null | bool | number | string | [...] | {
99 ...
100 }
101 }]
102 }
103
104 // Context defines variables and data sources that can be used
105 // during rule execution.
106 "context"?: [...matchN(1, [{
107 "configMap"!: _
108 }, {
109 "apiCall"!: _
110 }, {
111 "imageRegistry"!: _
112 }, {
113 "variable"!: _
114 }, {
115 "globalReference"!: _
116 }]) & {
117 // APICall is an HTTP request to the Kubernetes API server, or
118 // other JSON web service.
119 // The data returned is stored in the context with the name for
120 // the context entry.
121 "apiCall"?: {
122 // The data object specifies the POST data sent to the server.
123 // Only applicable when the method field is set to POST.
124 "data"?: [...{
125 // Key is a unique identifier for the data value
126 "key"!: string
127
128 // Value is the data value
129 "value"!: null | bool | number | string | [...] | {
130 ...
131 }
132 }]
133
134 // Default is an optional arbitrary JSON object that the context
135 // value is set to, if the apiCall returns error.
136 "default"?: null | bool | number | string | [...] | {
137 ...
138 }
139
140 // JMESPath is an optional JSON Match Expression that can be used
141 // to
142 // transform the JSON response returned from the server. For
143 // example
144 // a JMESPath of "items | length(@)" applied to the API server
145 // response
146 // for the URLPath "/apis/apps/v1/deployments" will return the
147 // total count
148 // of deployments across all namespaces.
149 "jmesPath"?: string
150
151 // Method is the HTTP request type (GET or POST). Defaults to GET.
152 "method"?: "GET" | "POST"
153
154 // Service is an API call to a JSON web service.
155 // This is used for non-Kubernetes API server calls.
156 // It's mutually exclusive with the URLPath field.
157 "service"?: {
158 // CABundle is a PEM encoded CA bundle which will be used to
159 // validate
160 // the server certificate.
161 "caBundle"?: string
162
163 // Headers is a list of optional HTTP headers to be included in
164 // the request.
165 "headers"?: [...{
166 // Key is the header key
167 "key"!: string
168
169 // Value is the header value
170 "value"!: string
171 }]
172
173 // URL is the JSON web service URL. A typical form is
174 // `https://{service}.{namespace}:{port}/{path}`.
175 "url"!: string
176 }
177
178 // URLPath is the URL path to be used in the HTTP GET or POST
179 // request to the
180 // Kubernetes API server (e.g. "/api/v1/namespaces" or
181 // "/apis/apps/v1/deployments").
182 // The format required is the same format used by the `kubectl get
183 // --raw` command.
184 // See
185 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
186 // for details.
187 // It's mutually exclusive with the Service field.
188 "urlPath"?: string
189 }
190
191 // ConfigMap is the ConfigMap reference.
192 "configMap"?: {
193 // Name is the ConfigMap name.
194 "name"!: string
195
196 // Namespace is the ConfigMap namespace.
197 "namespace"?: string
198 }
199
200 // GlobalContextEntryReference is a reference to a cached global
201 // context entry.
202 "globalReference"?: {
203 // JMESPath is an optional JSON Match Expression that can be used
204 // to
205 // transform the JSON response returned from the server. For
206 // example
207 // a JMESPath of "items | length(@)" applied to the API server
208 // response
209 // for the URLPath "/apis/apps/v1/deployments" will return the
210 // total count
211 // of deployments across all namespaces.
212 "jmesPath"?: string
213
214 // Name of the global context entry
215 "name"!: string
216 }
217
218 // ImageRegistry defines requests to an OCI/Docker V2 registry to
219 // fetch image
220 // details.
221 "imageRegistry"?: {
222 // ImageRegistryCredentials provides credentials that will be used
223 // for authentication with registry
224 "imageRegistryCredentials"?: {
225 // AllowInsecureRegistry allows insecure access to a registry.
226 "allowInsecureRegistry"?: bool
227
228 // Providers specifies a list of OCI Registry names, whose
229 // authentication providers are provided.
230 // It can be of one of these values:
231 // default,google,azure,amazon,github.
232 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
233
234 // Secrets specifies a list of secrets that are provided for
235 // credentials.
236 // Secrets must live in the Kyverno namespace.
237 "secrets"?: [...string]
238 }
239
240 // JMESPath is an optional JSON Match Expression that can be used
241 // to
242 // transform the ImageData struct returned as a result of
243 // processing
244 // the image reference.
245 "jmesPath"?: string
246
247 // Reference is image reference to a container image in the
248 // registry.
249 // Example: ghcr.io/kyverno/kyverno:latest
250 "reference"!: string
251 }
252
253 // Name is the variable name.
254 "name"!: string
255
256 // Variable defines an arbitrary JMESPath context variable that
257 // can be defined inline.
258 "variable"?: {
259 // Default is an optional arbitrary JSON object that the variable
260 // may take if the JMESPath
261 // expression evaluates to nil
262 "default"?: null | bool | number | string | [...] | {
263 ...
264 }
265
266 // JMESPath is an optional JMESPath Expression that can be used to
267 // transform the variable.
268 "jmesPath"?: string
269
270 // Value is any arbitrary JSON object representable in YAML or
271 // JSON form.
272 "value"?: null | bool | number | string | [...] | {
273 ...
274 }
275 }
276 }]
277
278 // ExcludeResources defines when cleanuppolicy should not be
279 // applied. The exclude
280 // criteria can include resource information (e.g. kind, name,
281 // namespace, labels)
282 // and admission review request information like the name or role.
283 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
284 "any"!: _
285 "all"!: _
286 }]) & {
287 // All allows specifying resources which will be ANDed
288 "all"?: [...{
289 // ClusterRoles is the list of cluster-wide role names for the
290 // user.
291 "clusterRoles"?: [...string]
292
293 // ResourceDescription contains information about the resource
294 // being created or modified.
295 "resources"?: matchN(0, [null | bool | number | string | [...] | {
296 "name"!: _
297 "names"!: _
298 }]) & {
299 // Annotations is a map of annotations (key-value pairs of type
300 // string). Annotation keys
301 // and values support the wildcard characters "*" (matches zero or
302 // many characters) and
303 // "?" (matches at least one character).
304 "annotations"?: [string]: string
305
306 // Kinds is a list of resource kinds.
307 "kinds"?: [...string]
308
309 // Name is the name of the resource. The name supports wildcard
310 // characters
311 // "*" (matches zero or many characters) and "?" (at least one
312 // character).
313 // NOTE: "Name" is being deprecated in favor of "Names".
314 "name"?: string
315
316 // Names are the names of the resources. Each name supports
317 // wildcard characters
318 // "*" (matches zero or many characters) and "?" (at least one
319 // character).
320 "names"?: [...string]
321
322 // NamespaceSelector is a label selector for the resource
323 // namespace. Label keys and values
324 // in `matchLabels` support the wildcard characters `*` (matches
325 // zero or many characters)
326 // and `?` (matches one character).Wildcards allows writing label
327 // selectors like
328 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
329 // any key and value but
330 // does not match an empty label set.
331 "namespaceSelector"?: {
332 // matchExpressions is a list of label selector requirements. The
333 // requirements are ANDed.
334 "matchExpressions"?: [...{
335 // key is the label key that the selector applies to.
336 "key"!: string
337
338 // operator represents a key's relationship to a set of values.
339 // Valid operators are In, NotIn, Exists and DoesNotExist.
340 "operator"!: string
341
342 // values is an array of string values. If the operator is In or
343 // NotIn,
344 // the values array must be non-empty. If the operator is Exists
345 // or DoesNotExist,
346 // the values array must be empty. This array is replaced during a
347 // strategic
348 // merge patch.
349 "values"?: [...string]
350 }]
351
352 // matchLabels is a map of {key,value} pairs. A single {key,value}
353 // in the matchLabels
354 // map is equivalent to an element of matchExpressions, whose key
355 // field is "key", the
356 // operator is "In", and the values array contains only "value".
357 // The requirements are ANDed.
358 "matchLabels"?: {
359 [string]: string
360 }
361 }
362
363 // Namespaces is a list of namespaces names. Each name supports
364 // wildcard characters
365 // "*" (matches zero or many characters) and "?" (at least one
366 // character).
367 "namespaces"?: [...string]
368
369 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
370 // "DELETE"], which are used to match a specific action.
371 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
372
373 // Selector is a label selector. Label keys and values in
374 // `matchLabels` support the wildcard
375 // characters `*` (matches zero or many characters) and `?`
376 // (matches one character).
377 // Wildcards allows writing label selectors like
378 // ["storage.k8s.io/*": "*"]. Note that
379 // using ["*" : "*"] matches any key and value but does not match
380 // an empty label set.
381 "selector"?: {
382 // matchExpressions is a list of label selector requirements. The
383 // requirements are ANDed.
384 "matchExpressions"?: [...{
385 // key is the label key that the selector applies to.
386 "key"!: string
387
388 // operator represents a key's relationship to a set of values.
389 // Valid operators are In, NotIn, Exists and DoesNotExist.
390 "operator"!: string
391
392 // values is an array of string values. If the operator is In or
393 // NotIn,
394 // the values array must be non-empty. If the operator is Exists
395 // or DoesNotExist,
396 // the values array must be empty. This array is replaced during a
397 // strategic
398 // merge patch.
399 "values"?: [...string]
400 }]
401
402 // matchLabels is a map of {key,value} pairs. A single {key,value}
403 // in the matchLabels
404 // map is equivalent to an element of matchExpressions, whose key
405 // field is "key", the
406 // operator is "In", and the values array contains only "value".
407 // The requirements are ANDed.
408 "matchLabels"?: {
409 [string]: string
410 }
411 }
412 }
413
414 // Roles is the list of namespaced role names for the user.
415 "roles"?: [...string]
416
417 // Subjects is the list of subject names like users, user groups,
418 // and service accounts.
419 "subjects"?: [...{
420 // APIGroup holds the API group of the referenced subject.
421 // Defaults to "" for ServiceAccount subjects.
422 // Defaults to "rbac.authorization.k8s.io" for User and Group
423 // subjects.
424 "apiGroup"?: string
425
426 // Kind of object being referenced. Values defined by this API
427 // group are "User", "Group", and "ServiceAccount".
428 // If the Authorizer does not recognized the kind value, the
429 // Authorizer should report an error.
430 "kind"!: string
431
432 // Name of the object being referenced.
433 "name"!: string
434
435 // Namespace of the referenced object. If the object kind is
436 // non-namespace, such as "User" or "Group", and this value is
437 // not empty
438 // the Authorizer should report an error.
439 "namespace"?: string
440 }]
441 }]
442
443 // Any allows specifying resources which will be ORed
444 "any"?: [...{
445 // ClusterRoles is the list of cluster-wide role names for the
446 // user.
447 "clusterRoles"?: [...string]
448
449 // ResourceDescription contains information about the resource
450 // being created or modified.
451 "resources"?: matchN(0, [null | bool | number | string | [...] | {
452 "name"!: _
453 "names"!: _
454 }]) & {
455 // Annotations is a map of annotations (key-value pairs of type
456 // string). Annotation keys
457 // and values support the wildcard characters "*" (matches zero or
458 // many characters) and
459 // "?" (matches at least one character).
460 "annotations"?: [string]: string
461
462 // Kinds is a list of resource kinds.
463 "kinds"?: [...string]
464
465 // Name is the name of the resource. The name supports wildcard
466 // characters
467 // "*" (matches zero or many characters) and "?" (at least one
468 // character).
469 // NOTE: "Name" is being deprecated in favor of "Names".
470 "name"?: string
471
472 // Names are the names of the resources. Each name supports
473 // wildcard characters
474 // "*" (matches zero or many characters) and "?" (at least one
475 // character).
476 "names"?: [...string]
477
478 // NamespaceSelector is a label selector for the resource
479 // namespace. Label keys and values
480 // in `matchLabels` support the wildcard characters `*` (matches
481 // zero or many characters)
482 // and `?` (matches one character).Wildcards allows writing label
483 // selectors like
484 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
485 // any key and value but
486 // does not match an empty label set.
487 "namespaceSelector"?: {
488 // matchExpressions is a list of label selector requirements. The
489 // requirements are ANDed.
490 "matchExpressions"?: [...{
491 // key is the label key that the selector applies to.
492 "key"!: string
493
494 // operator represents a key's relationship to a set of values.
495 // Valid operators are In, NotIn, Exists and DoesNotExist.
496 "operator"!: string
497
498 // values is an array of string values. If the operator is In or
499 // NotIn,
500 // the values array must be non-empty. If the operator is Exists
501 // or DoesNotExist,
502 // the values array must be empty. This array is replaced during a
503 // strategic
504 // merge patch.
505 "values"?: [...string]
506 }]
507
508 // matchLabels is a map of {key,value} pairs. A single {key,value}
509 // in the matchLabels
510 // map is equivalent to an element of matchExpressions, whose key
511 // field is "key", the
512 // operator is "In", and the values array contains only "value".
513 // The requirements are ANDed.
514 "matchLabels"?: {
515 [string]: string
516 }
517 }
518
519 // Namespaces is a list of namespaces names. Each name supports
520 // wildcard characters
521 // "*" (matches zero or many characters) and "?" (at least one
522 // character).
523 "namespaces"?: [...string]
524
525 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
526 // "DELETE"], which are used to match a specific action.
527 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
528
529 // Selector is a label selector. Label keys and values in
530 // `matchLabels` support the wildcard
531 // characters `*` (matches zero or many characters) and `?`
532 // (matches one character).
533 // Wildcards allows writing label selectors like
534 // ["storage.k8s.io/*": "*"]. Note that
535 // using ["*" : "*"] matches any key and value but does not match
536 // an empty label set.
537 "selector"?: {
538 // matchExpressions is a list of label selector requirements. The
539 // requirements are ANDed.
540 "matchExpressions"?: [...{
541 // key is the label key that the selector applies to.
542 "key"!: string
543
544 // operator represents a key's relationship to a set of values.
545 // Valid operators are In, NotIn, Exists and DoesNotExist.
546 "operator"!: string
547
548 // values is an array of string values. If the operator is In or
549 // NotIn,
550 // the values array must be non-empty. If the operator is Exists
551 // or DoesNotExist,
552 // the values array must be empty. This array is replaced during a
553 // strategic
554 // merge patch.
555 "values"?: [...string]
556 }]
557
558 // matchLabels is a map of {key,value} pairs. A single {key,value}
559 // in the matchLabels
560 // map is equivalent to an element of matchExpressions, whose key
561 // field is "key", the
562 // operator is "In", and the values array contains only "value".
563 // The requirements are ANDed.
564 "matchLabels"?: {
565 [string]: string
566 }
567 }
568 }
569
570 // Roles is the list of namespaced role names for the user.
571 "roles"?: [...string]
572
573 // Subjects is the list of subject names like users, user groups,
574 // and service accounts.
575 "subjects"?: [...{
576 // APIGroup holds the API group of the referenced subject.
577 // Defaults to "" for ServiceAccount subjects.
578 // Defaults to "rbac.authorization.k8s.io" for User and Group
579 // subjects.
580 "apiGroup"?: string
581
582 // Kind of object being referenced. Values defined by this API
583 // group are "User", "Group", and "ServiceAccount".
584 // If the Authorizer does not recognized the kind value, the
585 // Authorizer should report an error.
586 "kind"!: string
587
588 // Name of the object being referenced.
589 "name"!: string
590
591 // Namespace of the referenced object. If the object kind is
592 // non-namespace, such as "User" or "Group", and this value is
593 // not empty
594 // the Authorizer should report an error.
595 "namespace"?: string
596 }]
597 }]
598 }
599
600 // MatchResources defines when cleanuppolicy should be applied.
601 // The match
602 // criteria can include resource information (e.g. kind, name,
603 // namespace, labels)
604 // and admission review request information like the user name or
605 // role.
606 // At least one kind is required.
607 "match"!: matchN(0, [null | bool | number | string | [...] | {
608 "any"!: _
609 "all"!: _
610 }]) & {
611 // All allows specifying resources which will be ANDed
612 "all"?: [...{
613 // ClusterRoles is the list of cluster-wide role names for the
614 // user.
615 "clusterRoles"?: [...string]
616
617 // ResourceDescription contains information about the resource
618 // being created or modified.
619 "resources"?: matchN(0, [null | bool | number | string | [...] | {
620 "name"!: _
621 "names"!: _
622 }]) & {
623 // Annotations is a map of annotations (key-value pairs of type
624 // string). Annotation keys
625 // and values support the wildcard characters "*" (matches zero or
626 // many characters) and
627 // "?" (matches at least one character).
628 "annotations"?: [string]: string
629
630 // Kinds is a list of resource kinds.
631 "kinds"?: [...string]
632
633 // Name is the name of the resource. The name supports wildcard
634 // characters
635 // "*" (matches zero or many characters) and "?" (at least one
636 // character).
637 // NOTE: "Name" is being deprecated in favor of "Names".
638 "name"?: string
639
640 // Names are the names of the resources. Each name supports
641 // wildcard characters
642 // "*" (matches zero or many characters) and "?" (at least one
643 // character).
644 "names"?: [...string]
645
646 // NamespaceSelector is a label selector for the resource
647 // namespace. Label keys and values
648 // in `matchLabels` support the wildcard characters `*` (matches
649 // zero or many characters)
650 // and `?` (matches one character).Wildcards allows writing label
651 // selectors like
652 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
653 // any key and value but
654 // does not match an empty label set.
655 "namespaceSelector"?: {
656 // matchExpressions is a list of label selector requirements. The
657 // requirements are ANDed.
658 "matchExpressions"?: [...{
659 // key is the label key that the selector applies to.
660 "key"!: string
661
662 // operator represents a key's relationship to a set of values.
663 // Valid operators are In, NotIn, Exists and DoesNotExist.
664 "operator"!: string
665
666 // values is an array of string values. If the operator is In or
667 // NotIn,
668 // the values array must be non-empty. If the operator is Exists
669 // or DoesNotExist,
670 // the values array must be empty. This array is replaced during a
671 // strategic
672 // merge patch.
673 "values"?: [...string]
674 }]
675
676 // matchLabels is a map of {key,value} pairs. A single {key,value}
677 // in the matchLabels
678 // map is equivalent to an element of matchExpressions, whose key
679 // field is "key", the
680 // operator is "In", and the values array contains only "value".
681 // The requirements are ANDed.
682 "matchLabels"?: {
683 [string]: string
684 }
685 }
686
687 // Namespaces is a list of namespaces names. Each name supports
688 // wildcard characters
689 // "*" (matches zero or many characters) and "?" (at least one
690 // character).
691 "namespaces"?: [...string]
692
693 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
694 // "DELETE"], which are used to match a specific action.
695 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
696
697 // Selector is a label selector. Label keys and values in
698 // `matchLabels` support the wildcard
699 // characters `*` (matches zero or many characters) and `?`
700 // (matches one character).
701 // Wildcards allows writing label selectors like
702 // ["storage.k8s.io/*": "*"]. Note that
703 // using ["*" : "*"] matches any key and value but does not match
704 // an empty label set.
705 "selector"?: {
706 // matchExpressions is a list of label selector requirements. The
707 // requirements are ANDed.
708 "matchExpressions"?: [...{
709 // key is the label key that the selector applies to.
710 "key"!: string
711
712 // operator represents a key's relationship to a set of values.
713 // Valid operators are In, NotIn, Exists and DoesNotExist.
714 "operator"!: string
715
716 // values is an array of string values. If the operator is In or
717 // NotIn,
718 // the values array must be non-empty. If the operator is Exists
719 // or DoesNotExist,
720 // the values array must be empty. This array is replaced during a
721 // strategic
722 // merge patch.
723 "values"?: [...string]
724 }]
725
726 // matchLabels is a map of {key,value} pairs. A single {key,value}
727 // in the matchLabels
728 // map is equivalent to an element of matchExpressions, whose key
729 // field is "key", the
730 // operator is "In", and the values array contains only "value".
731 // The requirements are ANDed.
732 "matchLabels"?: {
733 [string]: string
734 }
735 }
736 }
737
738 // Roles is the list of namespaced role names for the user.
739 "roles"?: [...string]
740
741 // Subjects is the list of subject names like users, user groups,
742 // and service accounts.
743 "subjects"?: [...{
744 // APIGroup holds the API group of the referenced subject.
745 // Defaults to "" for ServiceAccount subjects.
746 // Defaults to "rbac.authorization.k8s.io" for User and Group
747 // subjects.
748 "apiGroup"?: string
749
750 // Kind of object being referenced. Values defined by this API
751 // group are "User", "Group", and "ServiceAccount".
752 // If the Authorizer does not recognized the kind value, the
753 // Authorizer should report an error.
754 "kind"!: string
755
756 // Name of the object being referenced.
757 "name"!: string
758
759 // Namespace of the referenced object. If the object kind is
760 // non-namespace, such as "User" or "Group", and this value is
761 // not empty
762 // the Authorizer should report an error.
763 "namespace"?: string
764 }]
765 }]
766
767 // Any allows specifying resources which will be ORed
768 "any"?: [...{
769 // ClusterRoles is the list of cluster-wide role names for the
770 // user.
771 "clusterRoles"?: [...string]
772
773 // ResourceDescription contains information about the resource
774 // being created or modified.
775 "resources"?: matchN(0, [null | bool | number | string | [...] | {
776 "name"!: _
777 "names"!: _
778 }]) & {
779 // Annotations is a map of annotations (key-value pairs of type
780 // string). Annotation keys
781 // and values support the wildcard characters "*" (matches zero or
782 // many characters) and
783 // "?" (matches at least one character).
784 "annotations"?: [string]: string
785
786 // Kinds is a list of resource kinds.
787 "kinds"?: [...string]
788
789 // Name is the name of the resource. The name supports wildcard
790 // characters
791 // "*" (matches zero or many characters) and "?" (at least one
792 // character).
793 // NOTE: "Name" is being deprecated in favor of "Names".
794 "name"?: string
795
796 // Names are the names of the resources. Each name supports
797 // wildcard characters
798 // "*" (matches zero or many characters) and "?" (at least one
799 // character).
800 "names"?: [...string]
801
802 // NamespaceSelector is a label selector for the resource
803 // namespace. Label keys and values
804 // in `matchLabels` support the wildcard characters `*` (matches
805 // zero or many characters)
806 // and `?` (matches one character).Wildcards allows writing label
807 // selectors like
808 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
809 // any key and value but
810 // does not match an empty label set.
811 "namespaceSelector"?: {
812 // matchExpressions is a list of label selector requirements. The
813 // requirements are ANDed.
814 "matchExpressions"?: [...{
815 // key is the label key that the selector applies to.
816 "key"!: string
817
818 // operator represents a key's relationship to a set of values.
819 // Valid operators are In, NotIn, Exists and DoesNotExist.
820 "operator"!: string
821
822 // values is an array of string values. If the operator is In or
823 // NotIn,
824 // the values array must be non-empty. If the operator is Exists
825 // or DoesNotExist,
826 // the values array must be empty. This array is replaced during a
827 // strategic
828 // merge patch.
829 "values"?: [...string]
830 }]
831
832 // matchLabels is a map of {key,value} pairs. A single {key,value}
833 // in the matchLabels
834 // map is equivalent to an element of matchExpressions, whose key
835 // field is "key", the
836 // operator is "In", and the values array contains only "value".
837 // The requirements are ANDed.
838 "matchLabels"?: {
839 [string]: string
840 }
841 }
842
843 // Namespaces is a list of namespaces names. Each name supports
844 // wildcard characters
845 // "*" (matches zero or many characters) and "?" (at least one
846 // character).
847 "namespaces"?: [...string]
848
849 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
850 // "DELETE"], which are used to match a specific action.
851 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
852
853 // Selector is a label selector. Label keys and values in
854 // `matchLabels` support the wildcard
855 // characters `*` (matches zero or many characters) and `?`
856 // (matches one character).
857 // Wildcards allows writing label selectors like
858 // ["storage.k8s.io/*": "*"]. Note that
859 // using ["*" : "*"] matches any key and value but does not match
860 // an empty label set.
861 "selector"?: {
862 // matchExpressions is a list of label selector requirements. The
863 // requirements are ANDed.
864 "matchExpressions"?: [...{
865 // key is the label key that the selector applies to.
866 "key"!: string
867
868 // operator represents a key's relationship to a set of values.
869 // Valid operators are In, NotIn, Exists and DoesNotExist.
870 "operator"!: string
871
872 // values is an array of string values. If the operator is In or
873 // NotIn,
874 // the values array must be non-empty. If the operator is Exists
875 // or DoesNotExist,
876 // the values array must be empty. This array is replaced during a
877 // strategic
878 // merge patch.
879 "values"?: [...string]
880 }]
881
882 // matchLabels is a map of {key,value} pairs. A single {key,value}
883 // in the matchLabels
884 // map is equivalent to an element of matchExpressions, whose key
885 // field is "key", the
886 // operator is "In", and the values array contains only "value".
887 // The requirements are ANDed.
888 "matchLabels"?: {
889 [string]: string
890 }
891 }
892 }
893
894 // Roles is the list of namespaced role names for the user.
895 "roles"?: [...string]
896
897 // Subjects is the list of subject names like users, user groups,
898 // and service accounts.
899 "subjects"?: [...{
900 // APIGroup holds the API group of the referenced subject.
901 // Defaults to "" for ServiceAccount subjects.
902 // Defaults to "rbac.authorization.k8s.io" for User and Group
903 // subjects.
904 "apiGroup"?: string
905
906 // Kind of object being referenced. Values defined by this API
907 // group are "User", "Group", and "ServiceAccount".
908 // If the Authorizer does not recognized the kind value, the
909 // Authorizer should report an error.
910 "kind"!: string
911
912 // Name of the object being referenced.
913 "name"!: string
914
915 // Namespace of the referenced object. If the object kind is
916 // non-namespace, such as "User" or "Group", and this value is
917 // not empty
918 // the Authorizer should report an error.
919 "namespace"?: string
920 }]
921 }]
922 }
923
924 // The schedule in Cron format
925 "schedule"!: string
926 }
927
928 // Status contains policy runtime data.
929 "status"?: {
930 "conditions"?: [...{
931 // lastTransitionTime is the last time the condition transitioned
932 // from one status to another.
933 // This should be when the underlying condition changed. If that
934 // is not known, then using the time when the API field changed
935 // is acceptable.
936 "lastTransitionTime"!: time.Time
937
938 // message is a human readable message indicating details about
939 // the transition.
940 // This may be an empty string.
941 "message"!: strings.MaxRunes(
942 32768)
943
944 // observedGeneration represents the .metadata.generation that the
945 // condition was set based upon.
946 // For instance, if .metadata.generation is currently 12, but the
947 // .status.conditions[x].observedGeneration is 9, the condition
948 // is out of date
949 // with respect to the current state of the instance.
950 "observedGeneration"?: int64 & int & >=0
951
952 // reason contains a programmatic identifier indicating the reason
953 // for the condition's last transition.
954 // Producers of specific condition types may define expected
955 // values and meanings for this field,
956 // and whether the values are considered a guaranteed API.
957 // The value should be a CamelCase string.
958 // This field may not be empty.
959 "reason"!: strings.MaxRunes(
960 1024) & strings.MinRunes(
961 1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
962
963 // status of the condition, one of True, False, Unknown.
964 "status"!: "True" | "False" | "Unknown"
965
966 // type of condition in CamelCase or in foo.example.com/CamelCase.
967 "type"!: strings.MaxRunes(
968 316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
969 }]
970 "lastExecutionTime"?: time.Time
971 }
972
973 _embeddedResource: {
974 "apiVersion"!: string
975 "kind"!: string
976 "metadata"?: {
977 ...
978 }
979 }
980 apiVersion: "kyverno.io/v2"
981 kind: "CleanupPolicy"
982 metadata!: {
983 "name"!: string
984 "namespace"!: string
985 "labels"?: {
986 [string]: string
987 }
988 "annotations"?: {
989 [string]: string
990 }
991 ...
992 }
993}