1package v1
2
3import (
4 "strings"
5 "time"
6)
7
8// ClusterPolicy declares validation, mutation, and generation
9// behaviors for matching resources.
10#ClusterPolicy: {
11 _embeddedResource
12
13 // APIVersion defines the versioned schema of this representation
14 // of an object.
15 // Servers should convert recognized schemas to the latest
16 // internal value, and
17 // may reject unrecognized values.
18 // More info:
19 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
20 "apiVersion"?: string
21
22 // Kind is a string value representing the REST resource this
23 // object represents.
24 // Servers may infer this from the endpoint the client submits
25 // requests to.
26 // Cannot be updated.
27 // In CamelCase.
28 // More info:
29 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
30 "kind"?: string
31 "metadata"?: {}
32
33 // Spec declares policy behaviors.
34 "spec"!: {
35 // Admission controls if rules are applied during admission.
36 // Optional. Default value is "true".
37 "admission"?: bool
38
39 // ApplyRules controls how rules in a policy are applied. Rule are
40 // processed in
41 // the order of declaration. When set to `One` processing stops
42 // after a rule has
43 // been applied i.e. the rule matches and results in a pass, fail,
44 // or error. When
45 // set to `All` all rules in the policy are processed. The default
46 // is `All`.
47 "applyRules"?: "All" | "One"
48
49 // Background controls if rules are applied to existing resources
50 // during a background scan.
51 // Optional. Default value is "true". The value must be set to
52 // "false" if the policy rule
53 // uses variables that are only available in the admission review
54 // request (e.g. user name).
55 "background"?: bool
56
57 // EmitWarning enables API response warnings for mutate policy
58 // rules or validate policy rules with validationFailureAction
59 // set to Audit.
60 // Enabling this option will extend admission request processing
61 // times. The default value is "false".
62 "emitWarning"?: bool
63
64 // Deprecated, use failurePolicy under the webhookConfiguration
65 // instead.
66 "failurePolicy"?: "Ignore" | "Fail"
67
68 // Deprecated, use generateExisting under the generate rule
69 // instead
70 "generateExisting"?: bool
71
72 // Deprecated, use generateExisting instead
73 "generateExistingOnPolicyUpdate"?: bool
74
75 // Deprecated, use mutateExistingOnPolicyUpdate under the mutate
76 // rule instead
77 "mutateExistingOnPolicyUpdate"?: bool
78
79 // Rules is a list of Rule instances. A Policy contains multiple
80 // rules and
81 // each rule can validate, mutate, or generate resources.
82 "rules"?: [...{
83 // CELPreconditions are used to determine if a policy rule should
84 // be applied by evaluating a
85 // set of CEL conditions. It can only be used with the
86 // validate.cel subrule
87 "celPreconditions"?: [...{
88 // Expression represents the expression which will be evaluated by
89 // CEL. Must evaluate to bool.
90 // CEL expressions have access to the contents of the
91 // AdmissionRequest and Authorizer, organized into CEL variables:
92 //
93 // 'object' - The object from the incoming request. The value is
94 // null for DELETE requests.
95 // 'oldObject' - The existing object. The value is null for CREATE
96 // requests.
97 // 'request' - Attributes of the admission
98 // request(/pkg/apis/admission/types.go#AdmissionRequest).
99 // 'authorizer' - A CEL Authorizer. May be used to perform
100 // authorization checks for the principal (user or service
101 // account) of the request.
102 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
103 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
104 // from the 'authorizer' and configured with the
105 // request resource.
106 // Documentation on CEL:
107 // https://kubernetes.io/docs/reference/using-api/cel/
108 //
109 // Required.
110 "expression"!: string
111
112 // Name is an identifier for this match condition, used for
113 // strategic merging of MatchConditions,
114 // as well as providing an identifier for logging purposes. A good
115 // name should be descriptive of
116 // the associated expression.
117 // Name must be a qualified name consisting of alphanumeric
118 // characters, '-', '_' or '.', and
119 // must start and end with an alphanumeric character (e.g.
120 // 'MyName', or 'my.name', or
121 // '123-abc', regex used for validation is
122 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
123 // optional DNS subdomain prefix and '/' (e.g.
124 // 'example.com/MyName')
125 //
126 // Required.
127 "name"!: string
128 }]
129
130 // Context defines variables and data sources that can be used
131 // during rule execution.
132 "context"?: [...matchN(1, [{
133 "configMap"!: _
134 }, {
135 "apiCall"!: _
136 }, {
137 "imageRegistry"!: _
138 }, {
139 "variable"!: _
140 }, {
141 "globalReference"!: _
142 }]) & {
143 // APICall is an HTTP request to the Kubernetes API server, or
144 // other JSON web service.
145 // The data returned is stored in the context with the name for
146 // the context entry.
147 "apiCall"?: {
148 // The data object specifies the POST data sent to the server.
149 // Only applicable when the method field is set to POST.
150 "data"?: [...{
151 // Key is a unique identifier for the data value
152 "key"!: string
153
154 // Value is the data value
155 "value"!: null | bool | number | string | [...] | {
156 ...
157 }
158 }]
159
160 // Default is an optional arbitrary JSON object that the context
161 // value is set to, if the apiCall returns error.
162 "default"?: null | bool | number | string | [...] | {
163 ...
164 }
165
166 // JMESPath is an optional JSON Match Expression that can be used
167 // to
168 // transform the JSON response returned from the server. For
169 // example
170 // a JMESPath of "items | length(@)" applied to the API server
171 // response
172 // for the URLPath "/apis/apps/v1/deployments" will return the
173 // total count
174 // of deployments across all namespaces.
175 "jmesPath"?: string
176
177 // Method is the HTTP request type (GET or POST). Defaults to GET.
178 "method"?: "GET" | "POST"
179
180 // Service is an API call to a JSON web service.
181 // This is used for non-Kubernetes API server calls.
182 // It's mutually exclusive with the URLPath field.
183 "service"?: {
184 // CABundle is a PEM encoded CA bundle which will be used to
185 // validate
186 // the server certificate.
187 "caBundle"?: string
188
189 // Headers is a list of optional HTTP headers to be included in
190 // the request.
191 "headers"?: [...{
192 // Key is the header key
193 "key"!: string
194
195 // Value is the header value
196 "value"!: string
197 }]
198
199 // URL is the JSON web service URL. A typical form is
200 // `https://{service}.{namespace}:{port}/{path}`.
201 "url"!: string
202 }
203
204 // URLPath is the URL path to be used in the HTTP GET or POST
205 // request to the
206 // Kubernetes API server (e.g. "/api/v1/namespaces" or
207 // "/apis/apps/v1/deployments").
208 // The format required is the same format used by the `kubectl get
209 // --raw` command.
210 // See
211 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
212 // for details.
213 // It's mutually exclusive with the Service field.
214 "urlPath"?: string
215 }
216
217 // ConfigMap is the ConfigMap reference.
218 "configMap"?: {
219 // Name is the ConfigMap name.
220 "name"!: string
221
222 // Namespace is the ConfigMap namespace.
223 "namespace"?: string
224 }
225
226 // GlobalContextEntryReference is a reference to a cached global
227 // context entry.
228 "globalReference"?: {
229 // JMESPath is an optional JSON Match Expression that can be used
230 // to
231 // transform the JSON response returned from the server. For
232 // example
233 // a JMESPath of "items | length(@)" applied to the API server
234 // response
235 // for the URLPath "/apis/apps/v1/deployments" will return the
236 // total count
237 // of deployments across all namespaces.
238 "jmesPath"?: string
239
240 // Name of the global context entry
241 "name"!: string
242 }
243
244 // ImageRegistry defines requests to an OCI/Docker V2 registry to
245 // fetch image
246 // details.
247 "imageRegistry"?: {
248 // ImageRegistryCredentials provides credentials that will be used
249 // for authentication with registry
250 "imageRegistryCredentials"?: {
251 // AllowInsecureRegistry allows insecure access to a registry.
252 "allowInsecureRegistry"?: bool
253
254 // Providers specifies a list of OCI Registry names, whose
255 // authentication providers are provided.
256 // It can be of one of these values:
257 // default,google,azure,amazon,github.
258 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
259
260 // Secrets specifies a list of secrets that are provided for
261 // credentials.
262 // Secrets must live in the Kyverno namespace.
263 "secrets"?: [...string]
264 }
265
266 // JMESPath is an optional JSON Match Expression that can be used
267 // to
268 // transform the ImageData struct returned as a result of
269 // processing
270 // the image reference.
271 "jmesPath"?: string
272
273 // Reference is image reference to a container image in the
274 // registry.
275 // Example: ghcr.io/kyverno/kyverno:latest
276 "reference"!: string
277 }
278
279 // Name is the variable name.
280 "name"!: string
281
282 // Variable defines an arbitrary JMESPath context variable that
283 // can be defined inline.
284 "variable"?: {
285 // Default is an optional arbitrary JSON object that the variable
286 // may take if the JMESPath
287 // expression evaluates to nil
288 "default"?: null | bool | number | string | [...] | {
289 ...
290 }
291
292 // JMESPath is an optional JMESPath Expression that can be used to
293 // transform the variable.
294 "jmesPath"?: string
295
296 // Value is any arbitrary JSON object representable in YAML or
297 // JSON form.
298 "value"?: null | bool | number | string | [...] | {
299 ...
300 }
301 }
302 }]
303
304 // ExcludeResources defines when this policy rule should not be
305 // applied. The exclude
306 // criteria can include resource information (e.g. kind, name,
307 // namespace, labels)
308 // and admission review request information like the name or role.
309 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
310 "any"!: _
311 "all"!: _
312 }]) & {
313 // All allows specifying resources which will be ANDed
314 "all"?: [...{
315 // ClusterRoles is the list of cluster-wide role names for the
316 // user.
317 "clusterRoles"?: [...string]
318
319 // ResourceDescription contains information about the resource
320 // being created or modified.
321 "resources"?: matchN(0, [null | bool | number | string | [...] | {
322 "name"!: _
323 "names"!: _
324 }]) & {
325 // Annotations is a map of annotations (key-value pairs of type
326 // string). Annotation keys
327 // and values support the wildcard characters "*" (matches zero or
328 // many characters) and
329 // "?" (matches at least one character).
330 "annotations"?: [string]: string
331
332 // Kinds is a list of resource kinds.
333 "kinds"?: [...string]
334
335 // Name is the name of the resource. The name supports wildcard
336 // characters
337 // "*" (matches zero or many characters) and "?" (at least one
338 // character).
339 // NOTE: "Name" is being deprecated in favor of "Names".
340 "name"?: string
341
342 // Names are the names of the resources. Each name supports
343 // wildcard characters
344 // "*" (matches zero or many characters) and "?" (at least one
345 // character).
346 "names"?: [...string]
347
348 // NamespaceSelector is a label selector for the resource
349 // namespace. Label keys and values
350 // in `matchLabels` support the wildcard characters `*` (matches
351 // zero or many characters)
352 // and `?` (matches one character).Wildcards allows writing label
353 // selectors like
354 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
355 // any key and value but
356 // does not match an empty label set.
357 "namespaceSelector"?: {
358 // matchExpressions is a list of label selector requirements. The
359 // requirements are ANDed.
360 "matchExpressions"?: [...{
361 // key is the label key that the selector applies to.
362 "key"!: string
363
364 // operator represents a key's relationship to a set of values.
365 // Valid operators are In, NotIn, Exists and DoesNotExist.
366 "operator"!: string
367
368 // values is an array of string values. If the operator is In or
369 // NotIn,
370 // the values array must be non-empty. If the operator is Exists
371 // or DoesNotExist,
372 // the values array must be empty. This array is replaced during a
373 // strategic
374 // merge patch.
375 "values"?: [...string]
376 }]
377
378 // matchLabels is a map of {key,value} pairs. A single {key,value}
379 // in the matchLabels
380 // map is equivalent to an element of matchExpressions, whose key
381 // field is "key", the
382 // operator is "In", and the values array contains only "value".
383 // The requirements are ANDed.
384 "matchLabels"?: {
385 [string]: string
386 }
387 }
388
389 // Namespaces is a list of namespaces names. Each name supports
390 // wildcard characters
391 // "*" (matches zero or many characters) and "?" (at least one
392 // character).
393 "namespaces"?: [...string]
394
395 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
396 // "DELETE"], which are used to match a specific action.
397 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
398
399 // Selector is a label selector. Label keys and values in
400 // `matchLabels` support the wildcard
401 // characters `*` (matches zero or many characters) and `?`
402 // (matches one character).
403 // Wildcards allows writing label selectors like
404 // ["storage.k8s.io/*": "*"]. Note that
405 // using ["*" : "*"] matches any key and value but does not match
406 // an empty label set.
407 "selector"?: {
408 // matchExpressions is a list of label selector requirements. The
409 // requirements are ANDed.
410 "matchExpressions"?: [...{
411 // key is the label key that the selector applies to.
412 "key"!: string
413
414 // operator represents a key's relationship to a set of values.
415 // Valid operators are In, NotIn, Exists and DoesNotExist.
416 "operator"!: string
417
418 // values is an array of string values. If the operator is In or
419 // NotIn,
420 // the values array must be non-empty. If the operator is Exists
421 // or DoesNotExist,
422 // the values array must be empty. This array is replaced during a
423 // strategic
424 // merge patch.
425 "values"?: [...string]
426 }]
427
428 // matchLabels is a map of {key,value} pairs. A single {key,value}
429 // in the matchLabels
430 // map is equivalent to an element of matchExpressions, whose key
431 // field is "key", the
432 // operator is "In", and the values array contains only "value".
433 // The requirements are ANDed.
434 "matchLabels"?: {
435 [string]: string
436 }
437 }
438 }
439
440 // Roles is the list of namespaced role names for the user.
441 "roles"?: [...string]
442
443 // Subjects is the list of subject names like users, user groups,
444 // and service accounts.
445 "subjects"?: [...{
446 // APIGroup holds the API group of the referenced subject.
447 // Defaults to "" for ServiceAccount subjects.
448 // Defaults to "rbac.authorization.k8s.io" for User and Group
449 // subjects.
450 "apiGroup"?: string
451
452 // Kind of object being referenced. Values defined by this API
453 // group are "User", "Group", and "ServiceAccount".
454 // If the Authorizer does not recognized the kind value, the
455 // Authorizer should report an error.
456 "kind"!: string
457
458 // Name of the object being referenced.
459 "name"!: string
460
461 // Namespace of the referenced object. If the object kind is
462 // non-namespace, such as "User" or "Group", and this value is
463 // not empty
464 // the Authorizer should report an error.
465 "namespace"?: string
466 }]
467 }]
468
469 // Any allows specifying resources which will be ORed
470 "any"?: [...{
471 // ClusterRoles is the list of cluster-wide role names for the
472 // user.
473 "clusterRoles"?: [...string]
474
475 // ResourceDescription contains information about the resource
476 // being created or modified.
477 "resources"?: matchN(0, [null | bool | number | string | [...] | {
478 "name"!: _
479 "names"!: _
480 }]) & {
481 // Annotations is a map of annotations (key-value pairs of type
482 // string). Annotation keys
483 // and values support the wildcard characters "*" (matches zero or
484 // many characters) and
485 // "?" (matches at least one character).
486 "annotations"?: [string]: string
487
488 // Kinds is a list of resource kinds.
489 "kinds"?: [...string]
490
491 // Name is the name of the resource. The name supports wildcard
492 // characters
493 // "*" (matches zero or many characters) and "?" (at least one
494 // character).
495 // NOTE: "Name" is being deprecated in favor of "Names".
496 "name"?: string
497
498 // Names are the names of the resources. Each name supports
499 // wildcard characters
500 // "*" (matches zero or many characters) and "?" (at least one
501 // character).
502 "names"?: [...string]
503
504 // NamespaceSelector is a label selector for the resource
505 // namespace. Label keys and values
506 // in `matchLabels` support the wildcard characters `*` (matches
507 // zero or many characters)
508 // and `?` (matches one character).Wildcards allows writing label
509 // selectors like
510 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
511 // any key and value but
512 // does not match an empty label set.
513 "namespaceSelector"?: {
514 // matchExpressions is a list of label selector requirements. The
515 // requirements are ANDed.
516 "matchExpressions"?: [...{
517 // key is the label key that the selector applies to.
518 "key"!: string
519
520 // operator represents a key's relationship to a set of values.
521 // Valid operators are In, NotIn, Exists and DoesNotExist.
522 "operator"!: string
523
524 // values is an array of string values. If the operator is In or
525 // NotIn,
526 // the values array must be non-empty. If the operator is Exists
527 // or DoesNotExist,
528 // the values array must be empty. This array is replaced during a
529 // strategic
530 // merge patch.
531 "values"?: [...string]
532 }]
533
534 // matchLabels is a map of {key,value} pairs. A single {key,value}
535 // in the matchLabels
536 // map is equivalent to an element of matchExpressions, whose key
537 // field is "key", the
538 // operator is "In", and the values array contains only "value".
539 // The requirements are ANDed.
540 "matchLabels"?: {
541 [string]: string
542 }
543 }
544
545 // Namespaces is a list of namespaces names. Each name supports
546 // wildcard characters
547 // "*" (matches zero or many characters) and "?" (at least one
548 // character).
549 "namespaces"?: [...string]
550
551 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
552 // "DELETE"], which are used to match a specific action.
553 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
554
555 // Selector is a label selector. Label keys and values in
556 // `matchLabels` support the wildcard
557 // characters `*` (matches zero or many characters) and `?`
558 // (matches one character).
559 // Wildcards allows writing label selectors like
560 // ["storage.k8s.io/*": "*"]. Note that
561 // using ["*" : "*"] matches any key and value but does not match
562 // an empty label set.
563 "selector"?: {
564 // matchExpressions is a list of label selector requirements. The
565 // requirements are ANDed.
566 "matchExpressions"?: [...{
567 // key is the label key that the selector applies to.
568 "key"!: string
569
570 // operator represents a key's relationship to a set of values.
571 // Valid operators are In, NotIn, Exists and DoesNotExist.
572 "operator"!: string
573
574 // values is an array of string values. If the operator is In or
575 // NotIn,
576 // the values array must be non-empty. If the operator is Exists
577 // or DoesNotExist,
578 // the values array must be empty. This array is replaced during a
579 // strategic
580 // merge patch.
581 "values"?: [...string]
582 }]
583
584 // matchLabels is a map of {key,value} pairs. A single {key,value}
585 // in the matchLabels
586 // map is equivalent to an element of matchExpressions, whose key
587 // field is "key", the
588 // operator is "In", and the values array contains only "value".
589 // The requirements are ANDed.
590 "matchLabels"?: {
591 [string]: string
592 }
593 }
594 }
595
596 // Roles is the list of namespaced role names for the user.
597 "roles"?: [...string]
598
599 // Subjects is the list of subject names like users, user groups,
600 // and service accounts.
601 "subjects"?: [...{
602 // APIGroup holds the API group of the referenced subject.
603 // Defaults to "" for ServiceAccount subjects.
604 // Defaults to "rbac.authorization.k8s.io" for User and Group
605 // subjects.
606 "apiGroup"?: string
607
608 // Kind of object being referenced. Values defined by this API
609 // group are "User", "Group", and "ServiceAccount".
610 // If the Authorizer does not recognized the kind value, the
611 // Authorizer should report an error.
612 "kind"!: string
613
614 // Name of the object being referenced.
615 "name"!: string
616
617 // Namespace of the referenced object. If the object kind is
618 // non-namespace, such as "User" or "Group", and this value is
619 // not empty
620 // the Authorizer should report an error.
621 "namespace"?: string
622 }]
623 }]
624
625 // ClusterRoles is the list of cluster-wide role names for the
626 // user.
627 "clusterRoles"?: [...string]
628
629 // ResourceDescription contains information about the resource
630 // being created or modified.
631 // Requires at least one tag to be specified when under
632 // MatchResources.
633 // Specifying ResourceDescription directly under match is being
634 // deprecated.
635 // Please specify under "any" or "all" instead.
636 "resources"?: matchN(0, [null | bool | number | string | [...] | {
637 "name"!: _
638 "names"!: _
639 }]) & {
640 // Annotations is a map of annotations (key-value pairs of type
641 // string). Annotation keys
642 // and values support the wildcard characters "*" (matches zero or
643 // many characters) and
644 // "?" (matches at least one character).
645 "annotations"?: [string]: string
646
647 // Kinds is a list of resource kinds.
648 "kinds"?: [...string]
649
650 // Name is the name of the resource. The name supports wildcard
651 // characters
652 // "*" (matches zero or many characters) and "?" (at least one
653 // character).
654 // NOTE: "Name" is being deprecated in favor of "Names".
655 "name"?: string
656
657 // Names are the names of the resources. Each name supports
658 // wildcard characters
659 // "*" (matches zero or many characters) and "?" (at least one
660 // character).
661 "names"?: [...string]
662
663 // NamespaceSelector is a label selector for the resource
664 // namespace. Label keys and values
665 // in `matchLabels` support the wildcard characters `*` (matches
666 // zero or many characters)
667 // and `?` (matches one character).Wildcards allows writing label
668 // selectors like
669 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
670 // any key and value but
671 // does not match an empty label set.
672 "namespaceSelector"?: {
673 // matchExpressions is a list of label selector requirements. The
674 // requirements are ANDed.
675 "matchExpressions"?: [...{
676 // key is the label key that the selector applies to.
677 "key"!: string
678
679 // operator represents a key's relationship to a set of values.
680 // Valid operators are In, NotIn, Exists and DoesNotExist.
681 "operator"!: string
682
683 // values is an array of string values. If the operator is In or
684 // NotIn,
685 // the values array must be non-empty. If the operator is Exists
686 // or DoesNotExist,
687 // the values array must be empty. This array is replaced during a
688 // strategic
689 // merge patch.
690 "values"?: [...string]
691 }]
692
693 // matchLabels is a map of {key,value} pairs. A single {key,value}
694 // in the matchLabels
695 // map is equivalent to an element of matchExpressions, whose key
696 // field is "key", the
697 // operator is "In", and the values array contains only "value".
698 // The requirements are ANDed.
699 "matchLabels"?: {
700 [string]: string
701 }
702 }
703
704 // Namespaces is a list of namespaces names. Each name supports
705 // wildcard characters
706 // "*" (matches zero or many characters) and "?" (at least one
707 // character).
708 "namespaces"?: [...string]
709
710 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
711 // "DELETE"], which are used to match a specific action.
712 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
713
714 // Selector is a label selector. Label keys and values in
715 // `matchLabels` support the wildcard
716 // characters `*` (matches zero or many characters) and `?`
717 // (matches one character).
718 // Wildcards allows writing label selectors like
719 // ["storage.k8s.io/*": "*"]. Note that
720 // using ["*" : "*"] matches any key and value but does not match
721 // an empty label set.
722 "selector"?: {
723 // matchExpressions is a list of label selector requirements. The
724 // requirements are ANDed.
725 "matchExpressions"?: [...{
726 // key is the label key that the selector applies to.
727 "key"!: string
728
729 // operator represents a key's relationship to a set of values.
730 // Valid operators are In, NotIn, Exists and DoesNotExist.
731 "operator"!: string
732
733 // values is an array of string values. If the operator is In or
734 // NotIn,
735 // the values array must be non-empty. If the operator is Exists
736 // or DoesNotExist,
737 // the values array must be empty. This array is replaced during a
738 // strategic
739 // merge patch.
740 "values"?: [...string]
741 }]
742
743 // matchLabels is a map of {key,value} pairs. A single {key,value}
744 // in the matchLabels
745 // map is equivalent to an element of matchExpressions, whose key
746 // field is "key", the
747 // operator is "In", and the values array contains only "value".
748 // The requirements are ANDed.
749 "matchLabels"?: {
750 [string]: string
751 }
752 }
753 }
754
755 // Roles is the list of namespaced role names for the user.
756 "roles"?: [...string]
757
758 // Subjects is the list of subject names like users, user groups,
759 // and service accounts.
760 "subjects"?: [...{
761 // APIGroup holds the API group of the referenced subject.
762 // Defaults to "" for ServiceAccount subjects.
763 // Defaults to "rbac.authorization.k8s.io" for User and Group
764 // subjects.
765 "apiGroup"?: string
766
767 // Kind of object being referenced. Values defined by this API
768 // group are "User", "Group", and "ServiceAccount".
769 // If the Authorizer does not recognized the kind value, the
770 // Authorizer should report an error.
771 "kind"!: string
772
773 // Name of the object being referenced.
774 "name"!: string
775
776 // Namespace of the referenced object. If the object kind is
777 // non-namespace, such as "User" or "Group", and this value is
778 // not empty
779 // the Authorizer should report an error.
780 "namespace"?: string
781 }]
782 }
783
784 // Generation is used to create new resources.
785 "generate"?: {
786 // APIVersion specifies resource apiVersion.
787 "apiVersion"?: string
788
789 // Clone specifies the source resource used to populate each
790 // generated resource.
791 // At most one of Data or Clone can be specified. If neither are
792 // provided, the generated
793 // resource will be created with default data only.
794 "clone"?: {
795 // Name specifies name of the resource.
796 "name"?: string
797
798 // Namespace specifies source resource namespace.
799 "namespace"?: string
800 }
801
802 // CloneList specifies the list of source resource used to
803 // populate each generated resource.
804 "cloneList"?: {
805 // Kinds is a list of resource kinds.
806 "kinds"?: [...string]
807
808 // Namespace specifies source resource namespace.
809 "namespace"?: string
810
811 // Selector is a label selector. Label keys and values in
812 // `matchLabels`.
813 // wildcard characters are not supported.
814 "selector"?: {
815 // matchExpressions is a list of label selector requirements. The
816 // requirements are ANDed.
817 "matchExpressions"?: [...{
818 // key is the label key that the selector applies to.
819 "key"!: string
820
821 // operator represents a key's relationship to a set of values.
822 // Valid operators are In, NotIn, Exists and DoesNotExist.
823 "operator"!: string
824
825 // values is an array of string values. If the operator is In or
826 // NotIn,
827 // the values array must be non-empty. If the operator is Exists
828 // or DoesNotExist,
829 // the values array must be empty. This array is replaced during a
830 // strategic
831 // merge patch.
832 "values"?: [...string]
833 }]
834
835 // matchLabels is a map of {key,value} pairs. A single {key,value}
836 // in the matchLabels
837 // map is equivalent to an element of matchExpressions, whose key
838 // field is "key", the
839 // operator is "In", and the values array contains only "value".
840 // The requirements are ANDed.
841 "matchLabels"?: {
842 [string]: string
843 }
844 }
845 }
846
847 // Data provides the resource declaration used to populate each
848 // generated resource.
849 // At most one of Data or Clone must be specified. If neither are
850 // provided, the generated
851 // resource will be created with default data only.
852 "data"?: null | bool | number | string | [...] | {
853 ...
854 }
855
856 // ForEach applies generate rules to a list of sub-elements by
857 // creating a context for each entry in the list and looping over
858 // it to apply the specified logic.
859 "foreach"?: [...{
860 // APIVersion specifies resource apiVersion.
861 "apiVersion"?: string
862
863 // Clone specifies the source resource used to populate each
864 // generated resource.
865 // At most one of Data or Clone can be specified. If neither are
866 // provided, the generated
867 // resource will be created with default data only.
868 "clone"?: {
869 // Name specifies name of the resource.
870 "name"?: string
871
872 // Namespace specifies source resource namespace.
873 "namespace"?: string
874 }
875
876 // CloneList specifies the list of source resource used to
877 // populate each generated resource.
878 "cloneList"?: {
879 // Kinds is a list of resource kinds.
880 "kinds"?: [...string]
881
882 // Namespace specifies source resource namespace.
883 "namespace"?: string
884
885 // Selector is a label selector. Label keys and values in
886 // `matchLabels`.
887 // wildcard characters are not supported.
888 "selector"?: {
889 // matchExpressions is a list of label selector requirements. The
890 // requirements are ANDed.
891 "matchExpressions"?: [...{
892 // key is the label key that the selector applies to.
893 "key"!: string
894
895 // operator represents a key's relationship to a set of values.
896 // Valid operators are In, NotIn, Exists and DoesNotExist.
897 "operator"!: string
898
899 // values is an array of string values. If the operator is In or
900 // NotIn,
901 // the values array must be non-empty. If the operator is Exists
902 // or DoesNotExist,
903 // the values array must be empty. This array is replaced during a
904 // strategic
905 // merge patch.
906 "values"?: [...string]
907 }]
908
909 // matchLabels is a map of {key,value} pairs. A single {key,value}
910 // in the matchLabels
911 // map is equivalent to an element of matchExpressions, whose key
912 // field is "key", the
913 // operator is "In", and the values array contains only "value".
914 // The requirements are ANDed.
915 "matchLabels"?: {
916 [string]: string
917 }
918 }
919 }
920
921 // Context defines variables and data sources that can be used
922 // during rule execution.
923 "context"?: [...matchN(1, [{
924 "configMap"!: _
925 }, {
926 "apiCall"!: _
927 }, {
928 "imageRegistry"!: _
929 }, {
930 "variable"!: _
931 }, {
932 "globalReference"!: _
933 }]) & {
934 // APICall is an HTTP request to the Kubernetes API server, or
935 // other JSON web service.
936 // The data returned is stored in the context with the name for
937 // the context entry.
938 "apiCall"?: {
939 // The data object specifies the POST data sent to the server.
940 // Only applicable when the method field is set to POST.
941 "data"?: [...{
942 // Key is a unique identifier for the data value
943 "key"!: string
944
945 // Value is the data value
946 "value"!: null | bool | number | string | [...] | {
947 ...
948 }
949 }]
950
951 // Default is an optional arbitrary JSON object that the context
952 // value is set to, if the apiCall returns error.
953 "default"?: null | bool | number | string | [...] | {
954 ...
955 }
956
957 // JMESPath is an optional JSON Match Expression that can be used
958 // to
959 // transform the JSON response returned from the server. For
960 // example
961 // a JMESPath of "items | length(@)" applied to the API server
962 // response
963 // for the URLPath "/apis/apps/v1/deployments" will return the
964 // total count
965 // of deployments across all namespaces.
966 "jmesPath"?: string
967
968 // Method is the HTTP request type (GET or POST). Defaults to GET.
969 "method"?: "GET" | "POST"
970
971 // Service is an API call to a JSON web service.
972 // This is used for non-Kubernetes API server calls.
973 // It's mutually exclusive with the URLPath field.
974 "service"?: {
975 // CABundle is a PEM encoded CA bundle which will be used to
976 // validate
977 // the server certificate.
978 "caBundle"?: string
979
980 // Headers is a list of optional HTTP headers to be included in
981 // the request.
982 "headers"?: [...{
983 // Key is the header key
984 "key"!: string
985
986 // Value is the header value
987 "value"!: string
988 }]
989
990 // URL is the JSON web service URL. A typical form is
991 // `https://{service}.{namespace}:{port}/{path}`.
992 "url"!: string
993 }
994
995 // URLPath is the URL path to be used in the HTTP GET or POST
996 // request to the
997 // Kubernetes API server (e.g. "/api/v1/namespaces" or
998 // "/apis/apps/v1/deployments").
999 // The format required is the same format used by the `kubectl get
1000 // --raw` command.
1001 // See
1002 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1003 // for details.
1004 // It's mutually exclusive with the Service field.
1005 "urlPath"?: string
1006 }
1007
1008 // ConfigMap is the ConfigMap reference.
1009 "configMap"?: {
1010 // Name is the ConfigMap name.
1011 "name"!: string
1012
1013 // Namespace is the ConfigMap namespace.
1014 "namespace"?: string
1015 }
1016
1017 // GlobalContextEntryReference is a reference to a cached global
1018 // context entry.
1019 "globalReference"?: {
1020 // JMESPath is an optional JSON Match Expression that can be used
1021 // to
1022 // transform the JSON response returned from the server. For
1023 // example
1024 // a JMESPath of "items | length(@)" applied to the API server
1025 // response
1026 // for the URLPath "/apis/apps/v1/deployments" will return the
1027 // total count
1028 // of deployments across all namespaces.
1029 "jmesPath"?: string
1030
1031 // Name of the global context entry
1032 "name"!: string
1033 }
1034
1035 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1036 // fetch image
1037 // details.
1038 "imageRegistry"?: {
1039 // ImageRegistryCredentials provides credentials that will be used
1040 // for authentication with registry
1041 "imageRegistryCredentials"?: {
1042 // AllowInsecureRegistry allows insecure access to a registry.
1043 "allowInsecureRegistry"?: bool
1044
1045 // Providers specifies a list of OCI Registry names, whose
1046 // authentication providers are provided.
1047 // It can be of one of these values:
1048 // default,google,azure,amazon,github.
1049 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1050
1051 // Secrets specifies a list of secrets that are provided for
1052 // credentials.
1053 // Secrets must live in the Kyverno namespace.
1054 "secrets"?: [...string]
1055 }
1056
1057 // JMESPath is an optional JSON Match Expression that can be used
1058 // to
1059 // transform the ImageData struct returned as a result of
1060 // processing
1061 // the image reference.
1062 "jmesPath"?: string
1063
1064 // Reference is image reference to a container image in the
1065 // registry.
1066 // Example: ghcr.io/kyverno/kyverno:latest
1067 "reference"!: string
1068 }
1069
1070 // Name is the variable name.
1071 "name"!: string
1072
1073 // Variable defines an arbitrary JMESPath context variable that
1074 // can be defined inline.
1075 "variable"?: {
1076 // Default is an optional arbitrary JSON object that the variable
1077 // may take if the JMESPath
1078 // expression evaluates to nil
1079 "default"?: null | bool | number | string | [...] | {
1080 ...
1081 }
1082
1083 // JMESPath is an optional JMESPath Expression that can be used to
1084 // transform the variable.
1085 "jmesPath"?: string
1086
1087 // Value is any arbitrary JSON object representable in YAML or
1088 // JSON form.
1089 "value"?: null | bool | number | string | [...] | {
1090 ...
1091 }
1092 }
1093 }]
1094
1095 // Data provides the resource declaration used to populate each
1096 // generated resource.
1097 // At most one of Data or Clone must be specified. If neither are
1098 // provided, the generated
1099 // resource will be created with default data only.
1100 "data"?: null | bool | number | string | [...] | {
1101 ...
1102 }
1103
1104 // Kind specifies resource kind.
1105 "kind"?: string
1106
1107 // List specifies a JMESPath expression that results in one or
1108 // more elements
1109 // to which the validation logic is applied.
1110 "list"?: string
1111
1112 // Name specifies the resource name.
1113 "name"?: string
1114
1115 // Namespace specifies resource namespace.
1116 "namespace"?: string
1117
1118 // AnyAllConditions are used to determine if a policy rule should
1119 // be applied by evaluating a
1120 // set of conditions. The declaration can contain nested `any` or
1121 // `all` statements.
1122 // See: https://kyverno.io/docs/writing-policies/preconditions/
1123 "preconditions"?: {
1124 // AllConditions enable variable-based conditional rule execution.
1125 // This is useful for
1126 // finer control of when an rule is applied. A condition can
1127 // reference object data
1128 // using JMESPath notation.
1129 // Here, all of the conditions need to pass
1130 "all"?: [...{
1131 // Key is the context entry (using JMESPath) for conditional rule
1132 // evaluation.
1133 "key"?: null | bool | number | string | [...] | {
1134 ...
1135 }
1136
1137 // Message is an optional display message
1138 "message"?: string
1139
1140 // Operator is the conditional operation to perform. Valid
1141 // operators are:
1142 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1143 // GreaterThanOrEquals,
1144 // GreaterThan, LessThanOrEquals, LessThan,
1145 // DurationGreaterThanOrEquals, DurationGreaterThan,
1146 // DurationLessThanOrEquals, DurationLessThan
1147 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1148
1149 // Value is the conditional value, or set of values. The values
1150 // can be fixed set
1151 // or can be variables declared using JMESPath.
1152 "value"?: null | bool | number | string | [...] | {
1153 ...
1154 }
1155 }]
1156
1157 // AnyConditions enable variable-based conditional rule execution.
1158 // This is useful for
1159 // finer control of when an rule is applied. A condition can
1160 // reference object data
1161 // using JMESPath notation.
1162 // Here, at least one of the conditions need to pass
1163 "any"?: [...{
1164 // Key is the context entry (using JMESPath) for conditional rule
1165 // evaluation.
1166 "key"?: null | bool | number | string | [...] | {
1167 ...
1168 }
1169
1170 // Message is an optional display message
1171 "message"?: string
1172
1173 // Operator is the conditional operation to perform. Valid
1174 // operators are:
1175 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1176 // GreaterThanOrEquals,
1177 // GreaterThan, LessThanOrEquals, LessThan,
1178 // DurationGreaterThanOrEquals, DurationGreaterThan,
1179 // DurationLessThanOrEquals, DurationLessThan
1180 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1181
1182 // Value is the conditional value, or set of values. The values
1183 // can be fixed set
1184 // or can be variables declared using JMESPath.
1185 "value"?: null | bool | number | string | [...] | {
1186 ...
1187 }
1188 }]
1189 ...
1190 }
1191
1192 // UID specifies the resource uid.
1193 "uid"?: string
1194 }]
1195
1196 // GenerateExisting controls whether to trigger the rule in
1197 // existing resources
1198 // If is set to "true" the rule will be triggered and applied to
1199 // existing matched resources.
1200 "generateExisting"?: bool
1201
1202 // Kind specifies resource kind.
1203 "kind"?: string
1204
1205 // Name specifies the resource name.
1206 "name"?: string
1207
1208 // Namespace specifies resource namespace.
1209 "namespace"?: string
1210
1211 // OrphanDownstreamOnPolicyDelete controls whether generated
1212 // resources should be deleted when the rule that generated
1213 // them is deleted with synchronization enabled. This option is
1214 // only applicable to generate rules of the data type.
1215 // See
1216 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
1217 // Defaults to "false" if not specified.
1218 "orphanDownstreamOnPolicyDelete"?: bool
1219
1220 // Synchronize controls if generated resources should be kept
1221 // in-sync with their source resource.
1222 // If Synchronize is set to "true" changes to generated resources
1223 // will be overwritten with resource
1224 // data from Data or the resource specified in the Clone
1225 // declaration.
1226 // Optional. Defaults to "false" if not specified.
1227 "synchronize"?: bool
1228
1229 // UID specifies the resource uid.
1230 "uid"?: string
1231 }
1232
1233 // ImageExtractors defines a mapping from kinds to
1234 // ImageExtractorConfigs.
1235 // This config is only valid for verifyImages rules.
1236 "imageExtractors"?: {
1237 [string]: [...{
1238 // JMESPath is an optional JMESPath expression to apply to the
1239 // image value.
1240 // This is useful when the extracted image begins with a prefix
1241 // like 'docker://'.
1242 // The 'trim_prefix' function may be used to trim the prefix:
1243 // trim_prefix(@, 'docker://').
1244 // Note - Image digest mutation may not be used when applying a
1245 // JMESPAth to an image.
1246 "jmesPath"?: string
1247
1248 // Key is an optional name of the field within 'path' that will be
1249 // used to uniquely identify an image.
1250 // Note - this field MUST be unique.
1251 "key"?: string
1252
1253 // Name is the entry the image will be available under
1254 // 'images.<name>' in the context.
1255 // If this field is not defined, image entries will appear under
1256 // 'images.custom'.
1257 "name"?: string
1258
1259 // Path is the path to the object containing the image field in a
1260 // custom resource.
1261 // It should be slash-separated. Each slash-separated key must be
1262 // a valid YAML key or a wildcard '*'.
1263 // Wildcard keys are expanded in case of arrays or objects.
1264 "path"!: string
1265
1266 // Value is an optional name of the field within 'path' that
1267 // points to the image URI.
1268 // This is useful when a custom 'key' is also defined.
1269 "value"?: string
1270 }]
1271 }
1272
1273 // MatchResources defines when this policy rule should be applied.
1274 // The match
1275 // criteria can include resource information (e.g. kind, name,
1276 // namespace, labels)
1277 // and admission review request information like the user name or
1278 // role.
1279 // At least one kind is required.
1280 "match"!: matchN(0, [null | bool | number | string | [...] | {
1281 "any"!: _
1282 "all"!: _
1283 }]) & {
1284 // All allows specifying resources which will be ANDed
1285 "all"?: [...{
1286 // ClusterRoles is the list of cluster-wide role names for the
1287 // user.
1288 "clusterRoles"?: [...string]
1289
1290 // ResourceDescription contains information about the resource
1291 // being created or modified.
1292 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1293 "name"!: _
1294 "names"!: _
1295 }]) & {
1296 // Annotations is a map of annotations (key-value pairs of type
1297 // string). Annotation keys
1298 // and values support the wildcard characters "*" (matches zero or
1299 // many characters) and
1300 // "?" (matches at least one character).
1301 "annotations"?: [string]: string
1302
1303 // Kinds is a list of resource kinds.
1304 "kinds"?: [...string]
1305
1306 // Name is the name of the resource. The name supports wildcard
1307 // characters
1308 // "*" (matches zero or many characters) and "?" (at least one
1309 // character).
1310 // NOTE: "Name" is being deprecated in favor of "Names".
1311 "name"?: string
1312
1313 // Names are the names of the resources. Each name supports
1314 // wildcard characters
1315 // "*" (matches zero or many characters) and "?" (at least one
1316 // character).
1317 "names"?: [...string]
1318
1319 // NamespaceSelector is a label selector for the resource
1320 // namespace. Label keys and values
1321 // in `matchLabels` support the wildcard characters `*` (matches
1322 // zero or many characters)
1323 // and `?` (matches one character).Wildcards allows writing label
1324 // selectors like
1325 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1326 // any key and value but
1327 // does not match an empty label set.
1328 "namespaceSelector"?: {
1329 // matchExpressions is a list of label selector requirements. The
1330 // requirements are ANDed.
1331 "matchExpressions"?: [...{
1332 // key is the label key that the selector applies to.
1333 "key"!: string
1334
1335 // operator represents a key's relationship to a set of values.
1336 // Valid operators are In, NotIn, Exists and DoesNotExist.
1337 "operator"!: string
1338
1339 // values is an array of string values. If the operator is In or
1340 // NotIn,
1341 // the values array must be non-empty. If the operator is Exists
1342 // or DoesNotExist,
1343 // the values array must be empty. This array is replaced during a
1344 // strategic
1345 // merge patch.
1346 "values"?: [...string]
1347 }]
1348
1349 // matchLabels is a map of {key,value} pairs. A single {key,value}
1350 // in the matchLabels
1351 // map is equivalent to an element of matchExpressions, whose key
1352 // field is "key", the
1353 // operator is "In", and the values array contains only "value".
1354 // The requirements are ANDed.
1355 "matchLabels"?: {
1356 [string]: string
1357 }
1358 }
1359
1360 // Namespaces is a list of namespaces names. Each name supports
1361 // wildcard characters
1362 // "*" (matches zero or many characters) and "?" (at least one
1363 // character).
1364 "namespaces"?: [...string]
1365
1366 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1367 // "DELETE"], which are used to match a specific action.
1368 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1369
1370 // Selector is a label selector. Label keys and values in
1371 // `matchLabels` support the wildcard
1372 // characters `*` (matches zero or many characters) and `?`
1373 // (matches one character).
1374 // Wildcards allows writing label selectors like
1375 // ["storage.k8s.io/*": "*"]. Note that
1376 // using ["*" : "*"] matches any key and value but does not match
1377 // an empty label set.
1378 "selector"?: {
1379 // matchExpressions is a list of label selector requirements. The
1380 // requirements are ANDed.
1381 "matchExpressions"?: [...{
1382 // key is the label key that the selector applies to.
1383 "key"!: string
1384
1385 // operator represents a key's relationship to a set of values.
1386 // Valid operators are In, NotIn, Exists and DoesNotExist.
1387 "operator"!: string
1388
1389 // values is an array of string values. If the operator is In or
1390 // NotIn,
1391 // the values array must be non-empty. If the operator is Exists
1392 // or DoesNotExist,
1393 // the values array must be empty. This array is replaced during a
1394 // strategic
1395 // merge patch.
1396 "values"?: [...string]
1397 }]
1398
1399 // matchLabels is a map of {key,value} pairs. A single {key,value}
1400 // in the matchLabels
1401 // map is equivalent to an element of matchExpressions, whose key
1402 // field is "key", the
1403 // operator is "In", and the values array contains only "value".
1404 // The requirements are ANDed.
1405 "matchLabels"?: {
1406 [string]: string
1407 }
1408 }
1409 }
1410
1411 // Roles is the list of namespaced role names for the user.
1412 "roles"?: [...string]
1413
1414 // Subjects is the list of subject names like users, user groups,
1415 // and service accounts.
1416 "subjects"?: [...{
1417 // APIGroup holds the API group of the referenced subject.
1418 // Defaults to "" for ServiceAccount subjects.
1419 // Defaults to "rbac.authorization.k8s.io" for User and Group
1420 // subjects.
1421 "apiGroup"?: string
1422
1423 // Kind of object being referenced. Values defined by this API
1424 // group are "User", "Group", and "ServiceAccount".
1425 // If the Authorizer does not recognized the kind value, the
1426 // Authorizer should report an error.
1427 "kind"!: string
1428
1429 // Name of the object being referenced.
1430 "name"!: string
1431
1432 // Namespace of the referenced object. If the object kind is
1433 // non-namespace, such as "User" or "Group", and this value is
1434 // not empty
1435 // the Authorizer should report an error.
1436 "namespace"?: string
1437 }]
1438 }]
1439
1440 // Any allows specifying resources which will be ORed
1441 "any"?: [...{
1442 // ClusterRoles is the list of cluster-wide role names for the
1443 // user.
1444 "clusterRoles"?: [...string]
1445
1446 // ResourceDescription contains information about the resource
1447 // being created or modified.
1448 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1449 "name"!: _
1450 "names"!: _
1451 }]) & {
1452 // Annotations is a map of annotations (key-value pairs of type
1453 // string). Annotation keys
1454 // and values support the wildcard characters "*" (matches zero or
1455 // many characters) and
1456 // "?" (matches at least one character).
1457 "annotations"?: [string]: string
1458
1459 // Kinds is a list of resource kinds.
1460 "kinds"?: [...string]
1461
1462 // Name is the name of the resource. The name supports wildcard
1463 // characters
1464 // "*" (matches zero or many characters) and "?" (at least one
1465 // character).
1466 // NOTE: "Name" is being deprecated in favor of "Names".
1467 "name"?: string
1468
1469 // Names are the names of the resources. Each name supports
1470 // wildcard characters
1471 // "*" (matches zero or many characters) and "?" (at least one
1472 // character).
1473 "names"?: [...string]
1474
1475 // NamespaceSelector is a label selector for the resource
1476 // namespace. Label keys and values
1477 // in `matchLabels` support the wildcard characters `*` (matches
1478 // zero or many characters)
1479 // and `?` (matches one character).Wildcards allows writing label
1480 // selectors like
1481 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1482 // any key and value but
1483 // does not match an empty label set.
1484 "namespaceSelector"?: {
1485 // matchExpressions is a list of label selector requirements. The
1486 // requirements are ANDed.
1487 "matchExpressions"?: [...{
1488 // key is the label key that the selector applies to.
1489 "key"!: string
1490
1491 // operator represents a key's relationship to a set of values.
1492 // Valid operators are In, NotIn, Exists and DoesNotExist.
1493 "operator"!: string
1494
1495 // values is an array of string values. If the operator is In or
1496 // NotIn,
1497 // the values array must be non-empty. If the operator is Exists
1498 // or DoesNotExist,
1499 // the values array must be empty. This array is replaced during a
1500 // strategic
1501 // merge patch.
1502 "values"?: [...string]
1503 }]
1504
1505 // matchLabels is a map of {key,value} pairs. A single {key,value}
1506 // in the matchLabels
1507 // map is equivalent to an element of matchExpressions, whose key
1508 // field is "key", the
1509 // operator is "In", and the values array contains only "value".
1510 // The requirements are ANDed.
1511 "matchLabels"?: {
1512 [string]: string
1513 }
1514 }
1515
1516 // Namespaces is a list of namespaces names. Each name supports
1517 // wildcard characters
1518 // "*" (matches zero or many characters) and "?" (at least one
1519 // character).
1520 "namespaces"?: [...string]
1521
1522 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1523 // "DELETE"], which are used to match a specific action.
1524 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1525
1526 // Selector is a label selector. Label keys and values in
1527 // `matchLabels` support the wildcard
1528 // characters `*` (matches zero or many characters) and `?`
1529 // (matches one character).
1530 // Wildcards allows writing label selectors like
1531 // ["storage.k8s.io/*": "*"]. Note that
1532 // using ["*" : "*"] matches any key and value but does not match
1533 // an empty label set.
1534 "selector"?: {
1535 // matchExpressions is a list of label selector requirements. The
1536 // requirements are ANDed.
1537 "matchExpressions"?: [...{
1538 // key is the label key that the selector applies to.
1539 "key"!: string
1540
1541 // operator represents a key's relationship to a set of values.
1542 // Valid operators are In, NotIn, Exists and DoesNotExist.
1543 "operator"!: string
1544
1545 // values is an array of string values. If the operator is In or
1546 // NotIn,
1547 // the values array must be non-empty. If the operator is Exists
1548 // or DoesNotExist,
1549 // the values array must be empty. This array is replaced during a
1550 // strategic
1551 // merge patch.
1552 "values"?: [...string]
1553 }]
1554
1555 // matchLabels is a map of {key,value} pairs. A single {key,value}
1556 // in the matchLabels
1557 // map is equivalent to an element of matchExpressions, whose key
1558 // field is "key", the
1559 // operator is "In", and the values array contains only "value".
1560 // The requirements are ANDed.
1561 "matchLabels"?: {
1562 [string]: string
1563 }
1564 }
1565 }
1566
1567 // Roles is the list of namespaced role names for the user.
1568 "roles"?: [...string]
1569
1570 // Subjects is the list of subject names like users, user groups,
1571 // and service accounts.
1572 "subjects"?: [...{
1573 // APIGroup holds the API group of the referenced subject.
1574 // Defaults to "" for ServiceAccount subjects.
1575 // Defaults to "rbac.authorization.k8s.io" for User and Group
1576 // subjects.
1577 "apiGroup"?: string
1578
1579 // Kind of object being referenced. Values defined by this API
1580 // group are "User", "Group", and "ServiceAccount".
1581 // If the Authorizer does not recognized the kind value, the
1582 // Authorizer should report an error.
1583 "kind"!: string
1584
1585 // Name of the object being referenced.
1586 "name"!: string
1587
1588 // Namespace of the referenced object. If the object kind is
1589 // non-namespace, such as "User" or "Group", and this value is
1590 // not empty
1591 // the Authorizer should report an error.
1592 "namespace"?: string
1593 }]
1594 }]
1595
1596 // ClusterRoles is the list of cluster-wide role names for the
1597 // user.
1598 "clusterRoles"?: [...string]
1599
1600 // ResourceDescription contains information about the resource
1601 // being created or modified.
1602 // Requires at least one tag to be specified when under
1603 // MatchResources.
1604 // Specifying ResourceDescription directly under match is being
1605 // deprecated.
1606 // Please specify under "any" or "all" instead.
1607 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1608 "name"!: _
1609 "names"!: _
1610 }]) & {
1611 // Annotations is a map of annotations (key-value pairs of type
1612 // string). Annotation keys
1613 // and values support the wildcard characters "*" (matches zero or
1614 // many characters) and
1615 // "?" (matches at least one character).
1616 "annotations"?: [string]: string
1617
1618 // Kinds is a list of resource kinds.
1619 "kinds"?: [...string]
1620
1621 // Name is the name of the resource. The name supports wildcard
1622 // characters
1623 // "*" (matches zero or many characters) and "?" (at least one
1624 // character).
1625 // NOTE: "Name" is being deprecated in favor of "Names".
1626 "name"?: string
1627
1628 // Names are the names of the resources. Each name supports
1629 // wildcard characters
1630 // "*" (matches zero or many characters) and "?" (at least one
1631 // character).
1632 "names"?: [...string]
1633
1634 // NamespaceSelector is a label selector for the resource
1635 // namespace. Label keys and values
1636 // in `matchLabels` support the wildcard characters `*` (matches
1637 // zero or many characters)
1638 // and `?` (matches one character).Wildcards allows writing label
1639 // selectors like
1640 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1641 // any key and value but
1642 // does not match an empty label set.
1643 "namespaceSelector"?: {
1644 // matchExpressions is a list of label selector requirements. The
1645 // requirements are ANDed.
1646 "matchExpressions"?: [...{
1647 // key is the label key that the selector applies to.
1648 "key"!: string
1649
1650 // operator represents a key's relationship to a set of values.
1651 // Valid operators are In, NotIn, Exists and DoesNotExist.
1652 "operator"!: string
1653
1654 // values is an array of string values. If the operator is In or
1655 // NotIn,
1656 // the values array must be non-empty. If the operator is Exists
1657 // or DoesNotExist,
1658 // the values array must be empty. This array is replaced during a
1659 // strategic
1660 // merge patch.
1661 "values"?: [...string]
1662 }]
1663
1664 // matchLabels is a map of {key,value} pairs. A single {key,value}
1665 // in the matchLabels
1666 // map is equivalent to an element of matchExpressions, whose key
1667 // field is "key", the
1668 // operator is "In", and the values array contains only "value".
1669 // The requirements are ANDed.
1670 "matchLabels"?: {
1671 [string]: string
1672 }
1673 }
1674
1675 // Namespaces is a list of namespaces names. Each name supports
1676 // wildcard characters
1677 // "*" (matches zero or many characters) and "?" (at least one
1678 // character).
1679 "namespaces"?: [...string]
1680
1681 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1682 // "DELETE"], which are used to match a specific action.
1683 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1684
1685 // Selector is a label selector. Label keys and values in
1686 // `matchLabels` support the wildcard
1687 // characters `*` (matches zero or many characters) and `?`
1688 // (matches one character).
1689 // Wildcards allows writing label selectors like
1690 // ["storage.k8s.io/*": "*"]. Note that
1691 // using ["*" : "*"] matches any key and value but does not match
1692 // an empty label set.
1693 "selector"?: {
1694 // matchExpressions is a list of label selector requirements. The
1695 // requirements are ANDed.
1696 "matchExpressions"?: [...{
1697 // key is the label key that the selector applies to.
1698 "key"!: string
1699
1700 // operator represents a key's relationship to a set of values.
1701 // Valid operators are In, NotIn, Exists and DoesNotExist.
1702 "operator"!: string
1703
1704 // values is an array of string values. If the operator is In or
1705 // NotIn,
1706 // the values array must be non-empty. If the operator is Exists
1707 // or DoesNotExist,
1708 // the values array must be empty. This array is replaced during a
1709 // strategic
1710 // merge patch.
1711 "values"?: [...string]
1712 }]
1713
1714 // matchLabels is a map of {key,value} pairs. A single {key,value}
1715 // in the matchLabels
1716 // map is equivalent to an element of matchExpressions, whose key
1717 // field is "key", the
1718 // operator is "In", and the values array contains only "value".
1719 // The requirements are ANDed.
1720 "matchLabels"?: {
1721 [string]: string
1722 }
1723 }
1724 }
1725
1726 // Roles is the list of namespaced role names for the user.
1727 "roles"?: [...string]
1728
1729 // Subjects is the list of subject names like users, user groups,
1730 // and service accounts.
1731 "subjects"?: [...{
1732 // APIGroup holds the API group of the referenced subject.
1733 // Defaults to "" for ServiceAccount subjects.
1734 // Defaults to "rbac.authorization.k8s.io" for User and Group
1735 // subjects.
1736 "apiGroup"?: string
1737
1738 // Kind of object being referenced. Values defined by this API
1739 // group are "User", "Group", and "ServiceAccount".
1740 // If the Authorizer does not recognized the kind value, the
1741 // Authorizer should report an error.
1742 "kind"!: string
1743
1744 // Name of the object being referenced.
1745 "name"!: string
1746
1747 // Namespace of the referenced object. If the object kind is
1748 // non-namespace, such as "User" or "Group", and this value is
1749 // not empty
1750 // the Authorizer should report an error.
1751 "namespace"?: string
1752 }]
1753 }
1754
1755 // Mutation is used to modify matching resources.
1756 "mutate"?: {
1757 // ForEach applies mutation rules to a list of sub-elements by
1758 // creating a context for each entry in the list and looping over
1759 // it to apply the specified logic.
1760 "foreach"?: [...{
1761 // Context defines variables and data sources that can be used
1762 // during rule execution.
1763 "context"?: [...matchN(1, [{
1764 "configMap"!: _
1765 }, {
1766 "apiCall"!: _
1767 }, {
1768 "imageRegistry"!: _
1769 }, {
1770 "variable"!: _
1771 }, {
1772 "globalReference"!: _
1773 }]) & {
1774 // APICall is an HTTP request to the Kubernetes API server, or
1775 // other JSON web service.
1776 // The data returned is stored in the context with the name for
1777 // the context entry.
1778 "apiCall"?: {
1779 // The data object specifies the POST data sent to the server.
1780 // Only applicable when the method field is set to POST.
1781 "data"?: [...{
1782 // Key is a unique identifier for the data value
1783 "key"!: string
1784
1785 // Value is the data value
1786 "value"!: null | bool | number | string | [...] | {
1787 ...
1788 }
1789 }]
1790
1791 // Default is an optional arbitrary JSON object that the context
1792 // value is set to, if the apiCall returns error.
1793 "default"?: null | bool | number | string | [...] | {
1794 ...
1795 }
1796
1797 // JMESPath is an optional JSON Match Expression that can be used
1798 // to
1799 // transform the JSON response returned from the server. For
1800 // example
1801 // a JMESPath of "items | length(@)" applied to the API server
1802 // response
1803 // for the URLPath "/apis/apps/v1/deployments" will return the
1804 // total count
1805 // of deployments across all namespaces.
1806 "jmesPath"?: string
1807
1808 // Method is the HTTP request type (GET or POST). Defaults to GET.
1809 "method"?: "GET" | "POST"
1810
1811 // Service is an API call to a JSON web service.
1812 // This is used for non-Kubernetes API server calls.
1813 // It's mutually exclusive with the URLPath field.
1814 "service"?: {
1815 // CABundle is a PEM encoded CA bundle which will be used to
1816 // validate
1817 // the server certificate.
1818 "caBundle"?: string
1819
1820 // Headers is a list of optional HTTP headers to be included in
1821 // the request.
1822 "headers"?: [...{
1823 // Key is the header key
1824 "key"!: string
1825
1826 // Value is the header value
1827 "value"!: string
1828 }]
1829
1830 // URL is the JSON web service URL. A typical form is
1831 // `https://{service}.{namespace}:{port}/{path}`.
1832 "url"!: string
1833 }
1834
1835 // URLPath is the URL path to be used in the HTTP GET or POST
1836 // request to the
1837 // Kubernetes API server (e.g. "/api/v1/namespaces" or
1838 // "/apis/apps/v1/deployments").
1839 // The format required is the same format used by the `kubectl get
1840 // --raw` command.
1841 // See
1842 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1843 // for details.
1844 // It's mutually exclusive with the Service field.
1845 "urlPath"?: string
1846 }
1847
1848 // ConfigMap is the ConfigMap reference.
1849 "configMap"?: {
1850 // Name is the ConfigMap name.
1851 "name"!: string
1852
1853 // Namespace is the ConfigMap namespace.
1854 "namespace"?: string
1855 }
1856
1857 // GlobalContextEntryReference is a reference to a cached global
1858 // context entry.
1859 "globalReference"?: {
1860 // JMESPath is an optional JSON Match Expression that can be used
1861 // to
1862 // transform the JSON response returned from the server. For
1863 // example
1864 // a JMESPath of "items | length(@)" applied to the API server
1865 // response
1866 // for the URLPath "/apis/apps/v1/deployments" will return the
1867 // total count
1868 // of deployments across all namespaces.
1869 "jmesPath"?: string
1870
1871 // Name of the global context entry
1872 "name"!: string
1873 }
1874
1875 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1876 // fetch image
1877 // details.
1878 "imageRegistry"?: {
1879 // ImageRegistryCredentials provides credentials that will be used
1880 // for authentication with registry
1881 "imageRegistryCredentials"?: {
1882 // AllowInsecureRegistry allows insecure access to a registry.
1883 "allowInsecureRegistry"?: bool
1884
1885 // Providers specifies a list of OCI Registry names, whose
1886 // authentication providers are provided.
1887 // It can be of one of these values:
1888 // default,google,azure,amazon,github.
1889 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1890
1891 // Secrets specifies a list of secrets that are provided for
1892 // credentials.
1893 // Secrets must live in the Kyverno namespace.
1894 "secrets"?: [...string]
1895 }
1896
1897 // JMESPath is an optional JSON Match Expression that can be used
1898 // to
1899 // transform the ImageData struct returned as a result of
1900 // processing
1901 // the image reference.
1902 "jmesPath"?: string
1903
1904 // Reference is image reference to a container image in the
1905 // registry.
1906 // Example: ghcr.io/kyverno/kyverno:latest
1907 "reference"!: string
1908 }
1909
1910 // Name is the variable name.
1911 "name"!: string
1912
1913 // Variable defines an arbitrary JMESPath context variable that
1914 // can be defined inline.
1915 "variable"?: {
1916 // Default is an optional arbitrary JSON object that the variable
1917 // may take if the JMESPath
1918 // expression evaluates to nil
1919 "default"?: null | bool | number | string | [...] | {
1920 ...
1921 }
1922
1923 // JMESPath is an optional JMESPath Expression that can be used to
1924 // transform the variable.
1925 "jmesPath"?: string
1926
1927 // Value is any arbitrary JSON object representable in YAML or
1928 // JSON form.
1929 "value"?: null | bool | number | string | [...] | {
1930 ...
1931 }
1932 }
1933 }]
1934
1935 // Foreach declares a nested foreach iterator
1936 "foreach"?: null | bool | number | string | [...] | {
1937 ...
1938 }
1939
1940 // List specifies a JMESPath expression that results in one or
1941 // more elements
1942 // to which the validation logic is applied.
1943 "list"?: string
1944
1945 // Order defines the iteration order on the list.
1946 // Can be Ascending to iterate from first to last element or
1947 // Descending to iterate in from last to first element.
1948 "order"?: "Ascending" | "Descending"
1949
1950 // PatchStrategicMerge is a strategic merge patch used to modify
1951 // resources.
1952 // See
1953 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1954 // and
1955 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1956 "patchStrategicMerge"?: null | bool | number | string | [...] | {
1957 ...
1958 }
1959
1960 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1961 // used to modify resources.
1962 // See https://tools.ietf.org/html/rfc6902 and
1963 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1964 "patchesJson6902"?: string
1965
1966 // AnyAllConditions are used to determine if a policy rule should
1967 // be applied by evaluating a
1968 // set of conditions. The declaration can contain nested `any` or
1969 // `all` statements.
1970 // See: https://kyverno.io/docs/writing-policies/preconditions/
1971 "preconditions"?: {
1972 // AllConditions enable variable-based conditional rule execution.
1973 // This is useful for
1974 // finer control of when an rule is applied. A condition can
1975 // reference object data
1976 // using JMESPath notation.
1977 // Here, all of the conditions need to pass
1978 "all"?: [...{
1979 // Key is the context entry (using JMESPath) for conditional rule
1980 // evaluation.
1981 "key"?: null | bool | number | string | [...] | {
1982 ...
1983 }
1984
1985 // Message is an optional display message
1986 "message"?: string
1987
1988 // Operator is the conditional operation to perform. Valid
1989 // operators are:
1990 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1991 // GreaterThanOrEquals,
1992 // GreaterThan, LessThanOrEquals, LessThan,
1993 // DurationGreaterThanOrEquals, DurationGreaterThan,
1994 // DurationLessThanOrEquals, DurationLessThan
1995 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1996
1997 // Value is the conditional value, or set of values. The values
1998 // can be fixed set
1999 // or can be variables declared using JMESPath.
2000 "value"?: null | bool | number | string | [...] | {
2001 ...
2002 }
2003 }]
2004
2005 // AnyConditions enable variable-based conditional rule execution.
2006 // This is useful for
2007 // finer control of when an rule is applied. A condition can
2008 // reference object data
2009 // using JMESPath notation.
2010 // Here, at least one of the conditions need to pass
2011 "any"?: [...{
2012 // Key is the context entry (using JMESPath) for conditional rule
2013 // evaluation.
2014 "key"?: null | bool | number | string | [...] | {
2015 ...
2016 }
2017
2018 // Message is an optional display message
2019 "message"?: string
2020
2021 // Operator is the conditional operation to perform. Valid
2022 // operators are:
2023 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2024 // GreaterThanOrEquals,
2025 // GreaterThan, LessThanOrEquals, LessThan,
2026 // DurationGreaterThanOrEquals, DurationGreaterThan,
2027 // DurationLessThanOrEquals, DurationLessThan
2028 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2029
2030 // Value is the conditional value, or set of values. The values
2031 // can be fixed set
2032 // or can be variables declared using JMESPath.
2033 "value"?: null | bool | number | string | [...] | {
2034 ...
2035 }
2036 }]
2037 ...
2038 }
2039 }]
2040
2041 // MutateExistingOnPolicyUpdate controls if the mutateExisting
2042 // rule will be applied on policy events.
2043 "mutateExistingOnPolicyUpdate"?: bool
2044
2045 // PatchStrategicMerge is a strategic merge patch used to modify
2046 // resources.
2047 // See
2048 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
2049 // and
2050 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
2051 "patchStrategicMerge"?: null | bool | number | string | [...] | {
2052 ...
2053 }
2054
2055 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
2056 // used to modify resources.
2057 // See https://tools.ietf.org/html/rfc6902 and
2058 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
2059 "patchesJson6902"?: string
2060
2061 // Targets defines the target resources to be mutated.
2062 "targets"?: [...{
2063 // APIVersion specifies resource apiVersion.
2064 "apiVersion"?: string
2065
2066 // Context defines variables and data sources that can be used
2067 // during rule execution.
2068 "context"?: [...matchN(1, [{
2069 "configMap"!: _
2070 }, {
2071 "apiCall"!: _
2072 }, {
2073 "imageRegistry"!: _
2074 }, {
2075 "variable"!: _
2076 }, {
2077 "globalReference"!: _
2078 }]) & {
2079 // APICall is an HTTP request to the Kubernetes API server, or
2080 // other JSON web service.
2081 // The data returned is stored in the context with the name for
2082 // the context entry.
2083 "apiCall"?: {
2084 // The data object specifies the POST data sent to the server.
2085 // Only applicable when the method field is set to POST.
2086 "data"?: [...{
2087 // Key is a unique identifier for the data value
2088 "key"!: string
2089
2090 // Value is the data value
2091 "value"!: null | bool | number | string | [...] | {
2092 ...
2093 }
2094 }]
2095
2096 // Default is an optional arbitrary JSON object that the context
2097 // value is set to, if the apiCall returns error.
2098 "default"?: null | bool | number | string | [...] | {
2099 ...
2100 }
2101
2102 // JMESPath is an optional JSON Match Expression that can be used
2103 // to
2104 // transform the JSON response returned from the server. For
2105 // example
2106 // a JMESPath of "items | length(@)" applied to the API server
2107 // response
2108 // for the URLPath "/apis/apps/v1/deployments" will return the
2109 // total count
2110 // of deployments across all namespaces.
2111 "jmesPath"?: string
2112
2113 // Method is the HTTP request type (GET or POST). Defaults to GET.
2114 "method"?: "GET" | "POST"
2115
2116 // Service is an API call to a JSON web service.
2117 // This is used for non-Kubernetes API server calls.
2118 // It's mutually exclusive with the URLPath field.
2119 "service"?: {
2120 // CABundle is a PEM encoded CA bundle which will be used to
2121 // validate
2122 // the server certificate.
2123 "caBundle"?: string
2124
2125 // Headers is a list of optional HTTP headers to be included in
2126 // the request.
2127 "headers"?: [...{
2128 // Key is the header key
2129 "key"!: string
2130
2131 // Value is the header value
2132 "value"!: string
2133 }]
2134
2135 // URL is the JSON web service URL. A typical form is
2136 // `https://{service}.{namespace}:{port}/{path}`.
2137 "url"!: string
2138 }
2139
2140 // URLPath is the URL path to be used in the HTTP GET or POST
2141 // request to the
2142 // Kubernetes API server (e.g. "/api/v1/namespaces" or
2143 // "/apis/apps/v1/deployments").
2144 // The format required is the same format used by the `kubectl get
2145 // --raw` command.
2146 // See
2147 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2148 // for details.
2149 // It's mutually exclusive with the Service field.
2150 "urlPath"?: string
2151 }
2152
2153 // ConfigMap is the ConfigMap reference.
2154 "configMap"?: {
2155 // Name is the ConfigMap name.
2156 "name"!: string
2157
2158 // Namespace is the ConfigMap namespace.
2159 "namespace"?: string
2160 }
2161
2162 // GlobalContextEntryReference is a reference to a cached global
2163 // context entry.
2164 "globalReference"?: {
2165 // JMESPath is an optional JSON Match Expression that can be used
2166 // to
2167 // transform the JSON response returned from the server. For
2168 // example
2169 // a JMESPath of "items | length(@)" applied to the API server
2170 // response
2171 // for the URLPath "/apis/apps/v1/deployments" will return the
2172 // total count
2173 // of deployments across all namespaces.
2174 "jmesPath"?: string
2175
2176 // Name of the global context entry
2177 "name"!: string
2178 }
2179
2180 // ImageRegistry defines requests to an OCI/Docker V2 registry to
2181 // fetch image
2182 // details.
2183 "imageRegistry"?: {
2184 // ImageRegistryCredentials provides credentials that will be used
2185 // for authentication with registry
2186 "imageRegistryCredentials"?: {
2187 // AllowInsecureRegistry allows insecure access to a registry.
2188 "allowInsecureRegistry"?: bool
2189
2190 // Providers specifies a list of OCI Registry names, whose
2191 // authentication providers are provided.
2192 // It can be of one of these values:
2193 // default,google,azure,amazon,github.
2194 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2195
2196 // Secrets specifies a list of secrets that are provided for
2197 // credentials.
2198 // Secrets must live in the Kyverno namespace.
2199 "secrets"?: [...string]
2200 }
2201
2202 // JMESPath is an optional JSON Match Expression that can be used
2203 // to
2204 // transform the ImageData struct returned as a result of
2205 // processing
2206 // the image reference.
2207 "jmesPath"?: string
2208
2209 // Reference is image reference to a container image in the
2210 // registry.
2211 // Example: ghcr.io/kyverno/kyverno:latest
2212 "reference"!: string
2213 }
2214
2215 // Name is the variable name.
2216 "name"!: string
2217
2218 // Variable defines an arbitrary JMESPath context variable that
2219 // can be defined inline.
2220 "variable"?: {
2221 // Default is an optional arbitrary JSON object that the variable
2222 // may take if the JMESPath
2223 // expression evaluates to nil
2224 "default"?: null | bool | number | string | [...] | {
2225 ...
2226 }
2227
2228 // JMESPath is an optional JMESPath Expression that can be used to
2229 // transform the variable.
2230 "jmesPath"?: string
2231
2232 // Value is any arbitrary JSON object representable in YAML or
2233 // JSON form.
2234 "value"?: null | bool | number | string | [...] | {
2235 ...
2236 }
2237 }
2238 }]
2239
2240 // Kind specifies resource kind.
2241 "kind"?: string
2242
2243 // Name specifies the resource name.
2244 "name"?: string
2245
2246 // Namespace specifies resource namespace.
2247 "namespace"?: string
2248
2249 // Preconditions are used to determine if a policy rule should be
2250 // applied by evaluating a
2251 // set of conditions. The declaration can contain nested `any` or
2252 // `all` statements. A direct list
2253 // of conditions (without `any` or `all` statements is supported
2254 // for backwards compatibility but
2255 // will be deprecated in the next major release.
2256 // See: https://kyverno.io/docs/writing-policies/preconditions/
2257 "preconditions"?: null | bool | number | string | [...] | {
2258 ...
2259 }
2260
2261 // Selector allows you to select target resources with their
2262 // labels.
2263 "selector"?: {
2264 // matchExpressions is a list of label selector requirements. The
2265 // requirements are ANDed.
2266 "matchExpressions"?: [...{
2267 // key is the label key that the selector applies to.
2268 "key"!: string
2269
2270 // operator represents a key's relationship to a set of values.
2271 // Valid operators are In, NotIn, Exists and DoesNotExist.
2272 "operator"!: string
2273
2274 // values is an array of string values. If the operator is In or
2275 // NotIn,
2276 // the values array must be non-empty. If the operator is Exists
2277 // or DoesNotExist,
2278 // the values array must be empty. This array is replaced during a
2279 // strategic
2280 // merge patch.
2281 "values"?: [...string]
2282 }]
2283
2284 // matchLabels is a map of {key,value} pairs. A single {key,value}
2285 // in the matchLabels
2286 // map is equivalent to an element of matchExpressions, whose key
2287 // field is "key", the
2288 // operator is "In", and the values array contains only "value".
2289 // The requirements are ANDed.
2290 "matchLabels"?: {
2291 [string]: string
2292 }
2293 }
2294
2295 // UID specifies the resource uid.
2296 "uid"?: string
2297 }]
2298 }
2299
2300 // Name is a label to identify the rule, It must be unique within
2301 // the policy.
2302 "name"!: strings.MaxRunes(
2303 63)
2304
2305 // Preconditions are used to determine if a policy rule should be
2306 // applied by evaluating a
2307 // set of conditions. The declaration can contain nested `any` or
2308 // `all` statements. A direct list
2309 // of conditions (without `any` or `all` statements is supported
2310 // for backwards compatibility but
2311 // will be deprecated in the next major release.
2312 // See: https://kyverno.io/docs/writing-policies/preconditions/
2313 "preconditions"?: null | bool | number | string | [...] | {
2314 ...
2315 }
2316
2317 // ReportProperties are the additional properties from the rule
2318 // that will be added to the policy report result
2319 "reportProperties"?: {
2320 [string]: string
2321 }
2322
2323 // SkipBackgroundRequests bypasses admission requests that are
2324 // sent by the background controller.
2325 // The default value is set to "true", it must be set to "false"
2326 // to apply
2327 // generate and mutateExisting rules to those requests.
2328 "skipBackgroundRequests"?: bool
2329
2330 // Validation is used to validate matching resources.
2331 "validate"?: {
2332 // AllowExistingViolations allows prexisting violating resources
2333 // to continue violating a policy.
2334 "allowExistingViolations"?: bool
2335
2336 // AnyPattern specifies list of validation patterns. At least one
2337 // of the patterns
2338 // must be satisfied for the validation rule to succeed.
2339 "anyPattern"?: null | bool | number | string | [...] | {
2340 ...
2341 }
2342
2343 // Assert defines a kyverno-json assertion tree.
2344 "assert"?: {
2345 ...
2346 }
2347
2348 // CEL allows validation checks using the Common Expression
2349 // Language
2350 // (https://kubernetes.io/docs/reference/using-api/cel/).
2351 "cel"?: {
2352 // AuditAnnotations contains CEL expressions which are used to
2353 // produce audit annotations for the audit event of the API
2354 // request.
2355 "auditAnnotations"?: [...{
2356 // key specifies the audit annotation key. The audit annotation
2357 // keys of
2358 // a ValidatingAdmissionPolicy must be unique. The key must be a
2359 // qualified
2360 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2361 // length.
2362 //
2363 // The key is combined with the resource name of the
2364 // ValidatingAdmissionPolicy to construct an audit annotation key:
2365 // "{ValidatingAdmissionPolicy name}/{key}".
2366 //
2367 // If an admission webhook uses the same resource name as this
2368 // ValidatingAdmissionPolicy
2369 // and the same audit annotation key, the annotation key will be
2370 // identical.
2371 // In this case, the first annotation written with the key will be
2372 // included
2373 // in the audit event and all subsequent annotations with the same
2374 // key
2375 // will be discarded.
2376 //
2377 // Required.
2378 "key"!: string
2379
2380 // valueExpression represents the expression which is evaluated by
2381 // CEL to
2382 // produce an audit annotation value. The expression must evaluate
2383 // to either
2384 // a string or null value. If the expression evaluates to a
2385 // string, the
2386 // audit annotation is included with the string value. If the
2387 // expression
2388 // evaluates to null or empty string the audit annotation will be
2389 // omitted.
2390 // The valueExpression may be no longer than 5kb in length.
2391 // If the result of the valueExpression is more than 10kb in
2392 // length, it
2393 // will be truncated to 10kb.
2394 //
2395 // If multiple ValidatingAdmissionPolicyBinding resources match an
2396 // API request, then the valueExpression will be evaluated for
2397 // each binding. All unique values produced by the
2398 // valueExpressions
2399 // will be joined together in a comma-separated list.
2400 //
2401 // Required.
2402 "valueExpression"!: string
2403 }]
2404
2405 // Expressions is a list of CELExpression types.
2406 "expressions"?: [...{
2407 // Expression represents the expression which will be evaluated by
2408 // CEL.
2409 // ref: https://github.com/google/cel-spec
2410 // CEL expressions have access to the contents of the API
2411 // request/response, organized into CEL variables as well as some
2412 // other useful variables:
2413 //
2414 // - 'object' - The object from the incoming request. The value is
2415 // null for DELETE requests.
2416 // - 'oldObject' - The existing object. The value is null for
2417 // CREATE requests.
2418 // - 'request' - Attributes of the API
2419 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2420 // - 'params' - Parameter resource referred to by the policy
2421 // binding being evaluated. Only populated if the policy has a
2422 // ParamKind.
2423 // - 'namespaceObject' - The namespace object that the incoming
2424 // object belongs to. The value is null for cluster-scoped
2425 // resources.
2426 // - 'variables' - Map of composited variables, from its name to
2427 // its lazily evaluated value.
2428 // For example, a variable named 'foo' can be accessed as
2429 // 'variables.foo'.
2430 // - 'authorizer' - A CEL Authorizer. May be used to perform
2431 // authorization checks for the principal (user or service
2432 // account) of the request.
2433 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2434 // - 'authorizer.requestResource' - A CEL ResourceCheck
2435 // constructed from the 'authorizer' and configured with the
2436 // request resource.
2437 //
2438 // The `apiVersion`, `kind`, `metadata.name` and
2439 // `metadata.generateName` are always accessible from the root of
2440 // the
2441 // object. No other metadata properties are accessible.
2442 //
2443 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2444 // are accessible.
2445 // Accessible property names are escaped according to the
2446 // following rules when accessed in the expression:
2447 // - '__' escapes to '__underscores__'
2448 // - '.' escapes to '__dot__'
2449 // - '-' escapes to '__dash__'
2450 // - '/' escapes to '__slash__'
2451 // - Property names that exactly match a CEL RESERVED keyword
2452 // escape to '__{keyword}__'. The keywords are:
2453 // "true", "false", "null", "in", "as", "break", "const",
2454 // "continue", "else", "for", "function", "if",
2455 // "import", "let", "loop", "package", "namespace", "return".
2456 // Examples:
2457 // - Expression accessing a property named "namespace":
2458 // {"Expression": "object.__namespace__ > 0"}
2459 // - Expression accessing a property named "x-prop":
2460 // {"Expression": "object.x__dash__prop > 0"}
2461 // - Expression accessing a property named "redact__d":
2462 // {"Expression": "object.redact__underscores__d > 0"}
2463 //
2464 // Equality on arrays with list type of 'set' or 'map' ignores
2465 // element order, i.e. [1, 2] == [2, 1].
2466 // Concatenation on arrays with x-kubernetes-list-type use the
2467 // semantics of the list type:
2468 // - 'set': `X + Y` performs a union where the array positions of
2469 // all elements in `X` are preserved and
2470 // non-intersecting elements in `Y` are appended, retaining their
2471 // partial order.
2472 // - 'map': `X + Y` performs a merge where the array positions of
2473 // all keys in `X` are preserved but the values
2474 // are overwritten by values in `Y` when the key sets of `X` and
2475 // `Y` intersect. Elements in `Y` with
2476 // non-intersecting keys are appended, retaining their partial
2477 // order.
2478 // Required.
2479 "expression"!: string
2480
2481 // Message represents the message displayed when validation fails.
2482 // The message is required if the Expression contains
2483 // line breaks. The message must not contain line breaks.
2484 // If unset, the message is "failed rule: {Rule}".
2485 // e.g. "must be a URL with the host matching spec.host"
2486 // If the Expression contains line breaks. Message is required.
2487 // The message must not contain line breaks.
2488 // If unset, the message is "failed Expression: {Expression}".
2489 "message"?: string
2490
2491 // messageExpression declares a CEL expression that evaluates to
2492 // the validation failure message that is returned when this rule
2493 // fails.
2494 // Since messageExpression is used as a failure message, it must
2495 // evaluate to a string.
2496 // If both message and messageExpression are present on a
2497 // validation, then messageExpression will be used if validation
2498 // fails.
2499 // If messageExpression results in a runtime error, the runtime
2500 // error is logged, and the validation failure message is
2501 // produced
2502 // as if the messageExpression field were unset. If
2503 // messageExpression evaluates to an empty string, a string with
2504 // only spaces, or a string
2505 // that contains line breaks, then the validation failure message
2506 // will also be produced as if the messageExpression field were
2507 // unset, and
2508 // the fact that messageExpression produced an empty string/string
2509 // with only spaces/string with line breaks will be logged.
2510 // messageExpression has access to all the same variables as the
2511 // `expression` except for 'authorizer' and
2512 // 'authorizer.requestResource'.
2513 // Example:
2514 // "object.x must be less than max ("+string(params.max)+")"
2515 "messageExpression"?: string
2516
2517 // Reason represents a machine-readable description of why this
2518 // validation failed.
2519 // If this is the first validation in the list to fail, this
2520 // reason, as well as the
2521 // corresponding HTTP response code, are used in the
2522 // HTTP response to the client.
2523 // The currently supported reasons are: "Unauthorized",
2524 // "Forbidden", "Invalid", "RequestEntityTooLarge".
2525 // If not set, StatusReasonInvalid is used in the response to the
2526 // client.
2527 "reason"?: string
2528 }]
2529
2530 // ParamKind is a tuple of Group Kind and Version.
2531 "paramKind"?: {
2532 // APIVersion is the API group version the resources belong to.
2533 // In format of "group/version".
2534 // Required.
2535 "apiVersion"?: string
2536
2537 // Kind is the API kind the resources belong to.
2538 // Required.
2539 "kind"?: string
2540 }
2541
2542 // ParamRef references a parameter resource.
2543 "paramRef"?: {
2544 // name is the name of the resource being referenced.
2545 //
2546 // One of `name` or `selector` must be set, but `name` and
2547 // `selector` are
2548 // mutually exclusive properties. If one is set, the other must be
2549 // unset.
2550 //
2551 // A single parameter used for all admission requests can be
2552 // configured
2553 // by setting the `name` field, leaving `selector` blank, and
2554 // setting namespace
2555 // if `paramKind` is namespace-scoped.
2556 "name"?: string
2557
2558 // namespace is the namespace of the referenced resource. Allows
2559 // limiting
2560 // the search for params to a specific namespace. Applies to both
2561 // `name` and
2562 // `selector` fields.
2563 //
2564 // A per-namespace parameter may be used by specifying a
2565 // namespace-scoped
2566 // `paramKind` in the policy and leaving this field empty.
2567 //
2568 // - If `paramKind` is cluster-scoped, this field MUST be unset.
2569 // Setting this
2570 // field results in a configuration error.
2571 //
2572 // - If `paramKind` is namespace-scoped, the namespace of the
2573 // object being
2574 // evaluated for admission will be used when this field is left
2575 // unset. Take
2576 // care that if this is left empty the binding must not match any
2577 // cluster-scoped
2578 // resources, which will result in an error.
2579 "namespace"?: string
2580
2581 // `parameterNotFoundAction` controls the behavior of the binding
2582 // when the resource
2583 // exists, and name or selector is valid, but there are no
2584 // parameters
2585 // matched by the binding. If the value is set to `Allow`, then no
2586 // matched parameters will be treated as successful validation by
2587 // the binding.
2588 // If set to `Deny`, then no matched parameters will be subject to
2589 // the
2590 // `failurePolicy` of the policy.
2591 //
2592 // Allowed values are `Allow` or `Deny`
2593 //
2594 // Required
2595 "parameterNotFoundAction"?: string
2596
2597 // selector can be used to match multiple param objects based on
2598 // their labels.
2599 // Supply selector: {} to match all resources of the ParamKind.
2600 //
2601 // If multiple params are found, they are all evaluated with the
2602 // policy expressions
2603 // and the results are ANDed together.
2604 //
2605 // One of `name` or `selector` must be set, but `name` and
2606 // `selector` are
2607 // mutually exclusive properties. If one is set, the other must be
2608 // unset.
2609 "selector"?: {
2610 // matchExpressions is a list of label selector requirements. The
2611 // requirements are ANDed.
2612 "matchExpressions"?: [...{
2613 // key is the label key that the selector applies to.
2614 "key"!: string
2615
2616 // operator represents a key's relationship to a set of values.
2617 // Valid operators are In, NotIn, Exists and DoesNotExist.
2618 "operator"!: string
2619
2620 // values is an array of string values. If the operator is In or
2621 // NotIn,
2622 // the values array must be non-empty. If the operator is Exists
2623 // or DoesNotExist,
2624 // the values array must be empty. This array is replaced during a
2625 // strategic
2626 // merge patch.
2627 "values"?: [...string]
2628 }]
2629
2630 // matchLabels is a map of {key,value} pairs. A single {key,value}
2631 // in the matchLabels
2632 // map is equivalent to an element of matchExpressions, whose key
2633 // field is "key", the
2634 // operator is "In", and the values array contains only "value".
2635 // The requirements are ANDed.
2636 "matchLabels"?: {
2637 [string]: string
2638 }
2639 }
2640 }
2641
2642 // Variables contain definitions of variables that can be used in
2643 // composition of other expressions.
2644 // Each variable is defined as a named CEL expression.
2645 // The variables defined here will be available under `variables`
2646 // in other expressions of the policy.
2647 "variables"?: [...{
2648 // Expression is the expression that will be evaluated as the
2649 // value of the variable.
2650 // The CEL expression has access to the same identifiers as the
2651 // CEL expressions in Validation.
2652 "expression"!: string
2653
2654 // Name is the name of the variable. The name must be a valid CEL
2655 // identifier and unique among all variables.
2656 // The variable can be accessed in other expressions through
2657 // `variables`
2658 // For example, if name is "foo", the variable will be available
2659 // as `variables.foo`
2660 "name"!: string
2661 }]
2662 }
2663
2664 // Deny defines conditions used to pass or fail a validation rule.
2665 "deny"?: {
2666 // Multiple conditions can be declared under an `any` or `all`
2667 // statement. A direct list
2668 // of conditions (without `any` or `all` statements) is also
2669 // supported for backwards compatibility
2670 // but will be deprecated in the next major release.
2671 // See:
2672 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2673 "conditions"?: null | bool | number | string | [...] | {
2674 ...
2675 }
2676 }
2677
2678 // FailureAction defines if a validation policy rule violation
2679 // should block
2680 // the admission review request (Enforce), or allow (Audit) the
2681 // admission review request
2682 // and report an error in a policy report. Optional.
2683 // Allowed values are Audit or Enforce.
2684 "failureAction"?: "Audit" | "Enforce"
2685
2686 // FailureActionOverrides is a Cluster Policy attribute that
2687 // specifies FailureAction
2688 // namespace-wise. It overrides FailureAction for the specified
2689 // namespaces.
2690 "failureActionOverrides"?: [...{
2691 // ValidationFailureAction defines the policy validation failure
2692 // action
2693 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
2694
2695 // A label selector is a label query over a set of resources. The
2696 // result of matchLabels and
2697 // matchExpressions are ANDed. An empty label selector matches all
2698 // objects. A null
2699 // label selector matches no objects.
2700 "namespaceSelector"?: {
2701 // matchExpressions is a list of label selector requirements. The
2702 // requirements are ANDed.
2703 "matchExpressions"?: [...{
2704 // key is the label key that the selector applies to.
2705 "key"!: string
2706
2707 // operator represents a key's relationship to a set of values.
2708 // Valid operators are In, NotIn, Exists and DoesNotExist.
2709 "operator"!: string
2710
2711 // values is an array of string values. If the operator is In or
2712 // NotIn,
2713 // the values array must be non-empty. If the operator is Exists
2714 // or DoesNotExist,
2715 // the values array must be empty. This array is replaced during a
2716 // strategic
2717 // merge patch.
2718 "values"?: [...string]
2719 }]
2720
2721 // matchLabels is a map of {key,value} pairs. A single {key,value}
2722 // in the matchLabels
2723 // map is equivalent to an element of matchExpressions, whose key
2724 // field is "key", the
2725 // operator is "In", and the values array contains only "value".
2726 // The requirements are ANDed.
2727 "matchLabels"?: {
2728 [string]: string
2729 }
2730 }
2731 "namespaces"?: [...string]
2732 }]
2733
2734 // ForEach applies validate rules to a list of sub-elements by
2735 // creating a context for each entry in the list and looping over
2736 // it to apply the specified logic.
2737 "foreach"?: [...{
2738 // AnyPattern specifies list of validation patterns. At least one
2739 // of the patterns
2740 // must be satisfied for the validation rule to succeed.
2741 "anyPattern"?: null | bool | number | string | [...] | {
2742 ...
2743 }
2744
2745 // Context defines variables and data sources that can be used
2746 // during rule execution.
2747 "context"?: [...matchN(1, [{
2748 "configMap"!: _
2749 }, {
2750 "apiCall"!: _
2751 }, {
2752 "imageRegistry"!: _
2753 }, {
2754 "variable"!: _
2755 }, {
2756 "globalReference"!: _
2757 }]) & {
2758 // APICall is an HTTP request to the Kubernetes API server, or
2759 // other JSON web service.
2760 // The data returned is stored in the context with the name for
2761 // the context entry.
2762 "apiCall"?: {
2763 // The data object specifies the POST data sent to the server.
2764 // Only applicable when the method field is set to POST.
2765 "data"?: [...{
2766 // Key is a unique identifier for the data value
2767 "key"!: string
2768
2769 // Value is the data value
2770 "value"!: null | bool | number | string | [...] | {
2771 ...
2772 }
2773 }]
2774
2775 // Default is an optional arbitrary JSON object that the context
2776 // value is set to, if the apiCall returns error.
2777 "default"?: null | bool | number | string | [...] | {
2778 ...
2779 }
2780
2781 // JMESPath is an optional JSON Match Expression that can be used
2782 // to
2783 // transform the JSON response returned from the server. For
2784 // example
2785 // a JMESPath of "items | length(@)" applied to the API server
2786 // response
2787 // for the URLPath "/apis/apps/v1/deployments" will return the
2788 // total count
2789 // of deployments across all namespaces.
2790 "jmesPath"?: string
2791
2792 // Method is the HTTP request type (GET or POST). Defaults to GET.
2793 "method"?: "GET" | "POST"
2794
2795 // Service is an API call to a JSON web service.
2796 // This is used for non-Kubernetes API server calls.
2797 // It's mutually exclusive with the URLPath field.
2798 "service"?: {
2799 // CABundle is a PEM encoded CA bundle which will be used to
2800 // validate
2801 // the server certificate.
2802 "caBundle"?: string
2803
2804 // Headers is a list of optional HTTP headers to be included in
2805 // the request.
2806 "headers"?: [...{
2807 // Key is the header key
2808 "key"!: string
2809
2810 // Value is the header value
2811 "value"!: string
2812 }]
2813
2814 // URL is the JSON web service URL. A typical form is
2815 // `https://{service}.{namespace}:{port}/{path}`.
2816 "url"!: string
2817 }
2818
2819 // URLPath is the URL path to be used in the HTTP GET or POST
2820 // request to the
2821 // Kubernetes API server (e.g. "/api/v1/namespaces" or
2822 // "/apis/apps/v1/deployments").
2823 // The format required is the same format used by the `kubectl get
2824 // --raw` command.
2825 // See
2826 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2827 // for details.
2828 // It's mutually exclusive with the Service field.
2829 "urlPath"?: string
2830 }
2831
2832 // ConfigMap is the ConfigMap reference.
2833 "configMap"?: {
2834 // Name is the ConfigMap name.
2835 "name"!: string
2836
2837 // Namespace is the ConfigMap namespace.
2838 "namespace"?: string
2839 }
2840
2841 // GlobalContextEntryReference is a reference to a cached global
2842 // context entry.
2843 "globalReference"?: {
2844 // JMESPath is an optional JSON Match Expression that can be used
2845 // to
2846 // transform the JSON response returned from the server. For
2847 // example
2848 // a JMESPath of "items | length(@)" applied to the API server
2849 // response
2850 // for the URLPath "/apis/apps/v1/deployments" will return the
2851 // total count
2852 // of deployments across all namespaces.
2853 "jmesPath"?: string
2854
2855 // Name of the global context entry
2856 "name"!: string
2857 }
2858
2859 // ImageRegistry defines requests to an OCI/Docker V2 registry to
2860 // fetch image
2861 // details.
2862 "imageRegistry"?: {
2863 // ImageRegistryCredentials provides credentials that will be used
2864 // for authentication with registry
2865 "imageRegistryCredentials"?: {
2866 // AllowInsecureRegistry allows insecure access to a registry.
2867 "allowInsecureRegistry"?: bool
2868
2869 // Providers specifies a list of OCI Registry names, whose
2870 // authentication providers are provided.
2871 // It can be of one of these values:
2872 // default,google,azure,amazon,github.
2873 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2874
2875 // Secrets specifies a list of secrets that are provided for
2876 // credentials.
2877 // Secrets must live in the Kyverno namespace.
2878 "secrets"?: [...string]
2879 }
2880
2881 // JMESPath is an optional JSON Match Expression that can be used
2882 // to
2883 // transform the ImageData struct returned as a result of
2884 // processing
2885 // the image reference.
2886 "jmesPath"?: string
2887
2888 // Reference is image reference to a container image in the
2889 // registry.
2890 // Example: ghcr.io/kyverno/kyverno:latest
2891 "reference"!: string
2892 }
2893
2894 // Name is the variable name.
2895 "name"!: string
2896
2897 // Variable defines an arbitrary JMESPath context variable that
2898 // can be defined inline.
2899 "variable"?: {
2900 // Default is an optional arbitrary JSON object that the variable
2901 // may take if the JMESPath
2902 // expression evaluates to nil
2903 "default"?: null | bool | number | string | [...] | {
2904 ...
2905 }
2906
2907 // JMESPath is an optional JMESPath Expression that can be used to
2908 // transform the variable.
2909 "jmesPath"?: string
2910
2911 // Value is any arbitrary JSON object representable in YAML or
2912 // JSON form.
2913 "value"?: null | bool | number | string | [...] | {
2914 ...
2915 }
2916 }
2917 }]
2918
2919 // Deny defines conditions used to pass or fail a validation rule.
2920 "deny"?: {
2921 // Multiple conditions can be declared under an `any` or `all`
2922 // statement. A direct list
2923 // of conditions (without `any` or `all` statements) is also
2924 // supported for backwards compatibility
2925 // but will be deprecated in the next major release.
2926 // See:
2927 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2928 "conditions"?: null | bool | number | string | [...] | {
2929 ...
2930 }
2931 }
2932
2933 // ElementScope specifies whether to use the current list element
2934 // as the scope for validation. Defaults to "true" if not
2935 // specified.
2936 // When set to "false", "request.object" is used as the validation
2937 // scope within the foreach
2938 // block to allow referencing other elements in the subtree.
2939 "elementScope"?: bool
2940
2941 // Foreach declares a nested foreach iterator
2942 "foreach"?: null | bool | number | string | [...] | {
2943 ...
2944 }
2945
2946 // List specifies a JMESPath expression that results in one or
2947 // more elements
2948 // to which the validation logic is applied.
2949 "list"?: string
2950
2951 // Pattern specifies an overlay-style pattern used to check
2952 // resources.
2953 "pattern"?: null | bool | number | string | [...] | {
2954 ...
2955 }
2956
2957 // AnyAllConditions are used to determine if a policy rule should
2958 // be applied by evaluating a
2959 // set of conditions. The declaration can contain nested `any` or
2960 // `all` statements.
2961 // See: https://kyverno.io/docs/writing-policies/preconditions/
2962 "preconditions"?: {
2963 // AllConditions enable variable-based conditional rule execution.
2964 // This is useful for
2965 // finer control of when an rule is applied. A condition can
2966 // reference object data
2967 // using JMESPath notation.
2968 // Here, all of the conditions need to pass
2969 "all"?: [...{
2970 // Key is the context entry (using JMESPath) for conditional rule
2971 // evaluation.
2972 "key"?: null | bool | number | string | [...] | {
2973 ...
2974 }
2975
2976 // Message is an optional display message
2977 "message"?: string
2978
2979 // Operator is the conditional operation to perform. Valid
2980 // operators are:
2981 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2982 // GreaterThanOrEquals,
2983 // GreaterThan, LessThanOrEquals, LessThan,
2984 // DurationGreaterThanOrEquals, DurationGreaterThan,
2985 // DurationLessThanOrEquals, DurationLessThan
2986 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2987
2988 // Value is the conditional value, or set of values. The values
2989 // can be fixed set
2990 // or can be variables declared using JMESPath.
2991 "value"?: null | bool | number | string | [...] | {
2992 ...
2993 }
2994 }]
2995
2996 // AnyConditions enable variable-based conditional rule execution.
2997 // This is useful for
2998 // finer control of when an rule is applied. A condition can
2999 // reference object data
3000 // using JMESPath notation.
3001 // Here, at least one of the conditions need to pass
3002 "any"?: [...{
3003 // Key is the context entry (using JMESPath) for conditional rule
3004 // evaluation.
3005 "key"?: null | bool | number | string | [...] | {
3006 ...
3007 }
3008
3009 // Message is an optional display message
3010 "message"?: string
3011
3012 // Operator is the conditional operation to perform. Valid
3013 // operators are:
3014 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3015 // GreaterThanOrEquals,
3016 // GreaterThan, LessThanOrEquals, LessThan,
3017 // DurationGreaterThanOrEquals, DurationGreaterThan,
3018 // DurationLessThanOrEquals, DurationLessThan
3019 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3020
3021 // Value is the conditional value, or set of values. The values
3022 // can be fixed set
3023 // or can be variables declared using JMESPath.
3024 "value"?: null | bool | number | string | [...] | {
3025 ...
3026 }
3027 }]
3028 ...
3029 }
3030 }]
3031
3032 // Manifest specifies conditions for manifest verification
3033 "manifests"?: {
3034 // AnnotationDomain is custom domain of annotation for message and
3035 // signature. Default is "cosign.sigstore.dev".
3036 "annotationDomain"?: string
3037
3038 // Attestors specified the required attestors (i.e. authorities)
3039 "attestors"?: [...{
3040 // Count specifies the required number of entries that must match.
3041 // If the count is null, all entries must match
3042 // (a logical AND). If the count is 1, at least one entry must
3043 // match (a logical OR). If the count contains a
3044 // value N, then N must be less than or equal to the size of
3045 // entries, and at least N entries must match.
3046 "count"?: int & >=1
3047
3048 // Entries contains the available attestors. An attestor can be a
3049 // static key,
3050 // attributes for keyless verification, or a nested attestor
3051 // declaration.
3052 "entries"?: [...{
3053 // Annotations are used for image verification.
3054 // Every specified key-value pair must exist and match in the
3055 // verified payload.
3056 // The payload may contain other key-value pairs.
3057 "annotations"?: [string]: string
3058
3059 // Attestor is a nested set of Attestor used to specify a more
3060 // complex set of match authorities.
3061 "attestor"?: null | bool | number | string | [...] | {
3062 ...
3063 }
3064
3065 // Certificates specifies one or more certificates.
3066 "certificates"?: {
3067 // Cert is an optional PEM-encoded public certificate.
3068 "cert"?: string
3069
3070 // CertChain is an optional PEM encoded set of certificates used
3071 // to verify.
3072 "certChain"?: string
3073
3074 // CTLog (certificate timestamp log) provides a configuration for
3075 // validation of Signed Certificate
3076 // Timestamps (SCTs). If the value is unset, the default behavior
3077 // by Cosign is used.
3078 "ctlog"?: {
3079 // IgnoreSCT defines whether to use the Signed Certificate
3080 // Timestamp (SCT) log to check for a certificate
3081 // timestamp. Default is false. Set to true if this was opted out
3082 // during signing.
3083 "ignoreSCT"?: bool
3084
3085 // PubKey, if set, is used to validate SCTs against a custom
3086 // source.
3087 "pubkey"?: string
3088
3089 // TSACertChain, if set, is the PEM-encoded certificate chain file
3090 // for the RFC3161 timestamp authority. Must
3091 // contain the root CA certificate. Optionally may contain
3092 // intermediate CA certificates, and
3093 // may contain the leaf TSA certificate if not present in the
3094 // timestamurce.
3095 "tsaCertChain"?: string
3096 }
3097
3098 // Rekor provides configuration for the Rekor transparency log
3099 // service. If an empty object
3100 // is provided the public instance of Rekor
3101 // (https://rekor.sigstore.dev) is used.
3102 "rekor"?: {
3103 // IgnoreTlog skips transparency log verification.
3104 "ignoreTlog"?: bool
3105
3106 // RekorPubKey is an optional PEM-encoded public key to use for a
3107 // custom Rekor.
3108 // If set, this will be used to validate transparency log
3109 // signatures from a custom Rekor.
3110 "pubkey"?: string
3111
3112 // URL is the address of the transparency log. Defaults to the
3113 // public Rekor log instance https://rekor.sigstore.dev.
3114 "url"?: string
3115 }
3116 }
3117
3118 // Keyless is a set of attribute used to verify a Sigstore keyless
3119 // attestor.
3120 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3121 "keyless"?: {
3122 // AdditionalExtensions are certificate-extensions used for
3123 // keyless signing.
3124 "additionalExtensions"?: [string]: string
3125
3126 // CTLog (certificate timestamp log) provides a configuration for
3127 // validation of Signed Certificate
3128 // Timestamps (SCTs). If the value is unset, the default behavior
3129 // by Cosign is used.
3130 "ctlog"?: {
3131 // IgnoreSCT defines whether to use the Signed Certificate
3132 // Timestamp (SCT) log to check for a certificate
3133 // timestamp. Default is false. Set to true if this was opted out
3134 // during signing.
3135 "ignoreSCT"?: bool
3136
3137 // PubKey, if set, is used to validate SCTs against a custom
3138 // source.
3139 "pubkey"?: string
3140
3141 // TSACertChain, if set, is the PEM-encoded certificate chain file
3142 // for the RFC3161 timestamp authority. Must
3143 // contain the root CA certificate. Optionally may contain
3144 // intermediate CA certificates, and
3145 // may contain the leaf TSA certificate if not present in the
3146 // timestamurce.
3147 "tsaCertChain"?: string
3148 }
3149
3150 // Issuer is the certificate issuer used for keyless signing.
3151 "issuer"?: string
3152
3153 // IssuerRegExp is the regular expression to match certificate
3154 // issuer used for keyless signing.
3155 "issuerRegExp"?: string
3156
3157 // Rekor provides configuration for the Rekor transparency log
3158 // service. If an empty object
3159 // is provided the public instance of Rekor
3160 // (https://rekor.sigstore.dev) is used.
3161 "rekor"?: {
3162 // IgnoreTlog skips transparency log verification.
3163 "ignoreTlog"?: bool
3164
3165 // RekorPubKey is an optional PEM-encoded public key to use for a
3166 // custom Rekor.
3167 // If set, this will be used to validate transparency log
3168 // signatures from a custom Rekor.
3169 "pubkey"?: string
3170
3171 // URL is the address of the transparency log. Defaults to the
3172 // public Rekor log instance https://rekor.sigstore.dev.
3173 "url"?: string
3174 }
3175
3176 // Roots is an optional set of PEM encoded trusted root
3177 // certificates.
3178 // If not provided, the system roots are used.
3179 "roots"?: string
3180
3181 // Subject is the verified identity used for keyless signing, for
3182 // example the email address.
3183 "subject"?: string
3184
3185 // SubjectRegExp is the regular expression to match identity used
3186 // for keyless signing, for example the email address.
3187 "subjectRegExp"?: string
3188 }
3189
3190 // Keys specifies one or more public keys.
3191 "keys"?: {
3192 // CTLog (certificate timestamp log) provides a configuration for
3193 // validation of Signed Certificate
3194 // Timestamps (SCTs). If the value is unset, the default behavior
3195 // by Cosign is used.
3196 "ctlog"?: {
3197 // IgnoreSCT defines whether to use the Signed Certificate
3198 // Timestamp (SCT) log to check for a certificate
3199 // timestamp. Default is false. Set to true if this was opted out
3200 // during signing.
3201 "ignoreSCT"?: bool
3202
3203 // PubKey, if set, is used to validate SCTs against a custom
3204 // source.
3205 "pubkey"?: string
3206
3207 // TSACertChain, if set, is the PEM-encoded certificate chain file
3208 // for the RFC3161 timestamp authority. Must
3209 // contain the root CA certificate. Optionally may contain
3210 // intermediate CA certificates, and
3211 // may contain the leaf TSA certificate if not present in the
3212 // timestamurce.
3213 "tsaCertChain"?: string
3214 }
3215
3216 // KMS provides the URI to the public key stored in a Key
3217 // Management System. See:
3218 // https://github.com/sigstore/cosign/blob/main/KMS.md
3219 "kms"?: string
3220
3221 // Keys is a set of X.509 public keys used to verify image
3222 // signatures. The keys can be directly
3223 // specified or can be a variable reference to a key specified in
3224 // a ConfigMap (see
3225 // https://kyverno.io/docs/writing-policies/variables/), or
3226 // reference a standard Kubernetes Secret
3227 // elsewhere in the cluster by specifying it in the format
3228 // "k8s://<namespace>/<secret_name>".
3229 // The named Secret must specify a key `cosign.pub` containing the
3230 // public key used for
3231 // verification, (see
3232 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3233 // When multiple keys are specified each key is processed as a
3234 // separate staticKey entry
3235 // (.attestors[*].entries.keys) within the set of attestors and
3236 // the count is applied across the keys.
3237 "publicKeys"?: string
3238
3239 // Rekor provides configuration for the Rekor transparency log
3240 // service. If an empty object
3241 // is provided the public instance of Rekor
3242 // (https://rekor.sigstore.dev) is used.
3243 "rekor"?: {
3244 // IgnoreTlog skips transparency log verification.
3245 "ignoreTlog"?: bool
3246
3247 // RekorPubKey is an optional PEM-encoded public key to use for a
3248 // custom Rekor.
3249 // If set, this will be used to validate transparency log
3250 // signatures from a custom Rekor.
3251 "pubkey"?: string
3252
3253 // URL is the address of the transparency log. Defaults to the
3254 // public Rekor log instance https://rekor.sigstore.dev.
3255 "url"?: string
3256 }
3257
3258 // Reference to a Secret resource that contains a public key
3259 "secret"?: {
3260 // Name of the secret. The provided secret must contain a key
3261 // named cosign.pub.
3262 "name"!: string
3263
3264 // Namespace name where the Secret exists.
3265 "namespace"!: string
3266 }
3267
3268 // Deprecated. Use attestor.signatureAlgorithm instead.
3269 "signatureAlgorithm"?: string
3270 }
3271
3272 // Repository is an optional alternate OCI repository to use for
3273 // signatures and attestations that match this rule.
3274 // If specified Repository will override other OCI image
3275 // repository locations for this Attestor.
3276 "repository"?: string
3277
3278 // Specify signature algorithm for public keys. Supported values
3279 // are sha224, sha256, sha384 and sha512.
3280 "signatureAlgorithm"?: string
3281 }]
3282 }]
3283
3284 // DryRun configuration
3285 "dryRun"?: {
3286 "enable"?: bool
3287 "namespace"?: string
3288 }
3289
3290 // Fields which will be ignored while comparing manifests.
3291 "ignoreFields"?: [...{
3292 "fields"?: [...string]
3293 "objects"?: [...{
3294 "group"?: string
3295 "kind"?: string
3296 "name"?: string
3297 "namespace"?: string
3298 "version"?: string
3299 }]
3300 }]
3301
3302 // Repository is an optional alternate OCI repository to use for
3303 // resource bundle reference.
3304 // The repository can be overridden per Attestor or Attestation.
3305 "repository"?: string
3306 }
3307
3308 // Message specifies a custom message to be displayed on failure.
3309 "message"?: string
3310
3311 // Pattern specifies an overlay-style pattern used to check
3312 // resources.
3313 "pattern"?: null | bool | number | string | [...] | {
3314 ...
3315 }
3316
3317 // PodSecurity applies exemptions for Kubernetes Pod Security
3318 // admission
3319 // by specifying exclusions for Pod Security Standards controls.
3320 "podSecurity"?: {
3321 // Exclude specifies the Pod Security Standard controls to be
3322 // excluded.
3323 "exclude"?: [...{
3324 // ControlName specifies the name of the Pod Security Standard
3325 // control.
3326 // See:
3327 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
3328 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3329
3330 // Images selects matching containers and applies the container
3331 // level PSS.
3332 // Each image is the image name consisting of the registry
3333 // address, repository, image, and tag.
3334 // Empty list matches no containers, PSS checks are applied at the
3335 // pod level only.
3336 // Wildcards ('*' and '?') are allowed. See:
3337 // https://kubernetes.io/docs/concepts/containers/images.
3338 "images"?: [...string]
3339
3340 // RestrictedField selects the field for the given Pod Security
3341 // Standard control.
3342 // When not set, all restricted fields for the control are
3343 // selected.
3344 "restrictedField"?: string
3345
3346 // Values defines the allowed values that can be excluded.
3347 "values"?: [...string]
3348 }]
3349
3350 // Level defines the Pod Security Standard level to be applied to
3351 // workloads.
3352 // Allowed values are privileged, baseline, and restricted.
3353 "level"?: "privileged" | "baseline" | "restricted"
3354
3355 // Version defines the Pod Security Standard versions that
3356 // Kubernetes supports.
3357 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3358 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3359 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3360 }
3361 }
3362
3363 // VerifyImages is used to verify image signatures and mutate them
3364 // to add a digest
3365 "verifyImages"?: [...{
3366 // Deprecated.
3367 "additionalExtensions"?: [string]: string
3368
3369 // Deprecated. Use annotations per Attestor instead.
3370 "annotations"?: {
3371 [string]: string
3372 }
3373
3374 // Attestations are optional checks for signed in-toto Statements
3375 // used to verify the image.
3376 // See https://github.com/in-toto/attestation. Kyverno fetches
3377 // signed attestations from the
3378 // OCI registry and decodes them into a list of Statement
3379 // declarations.
3380 "attestations"?: [...{
3381 // Attestors specify the required attestors (i.e. authorities).
3382 "attestors"?: [...{
3383 // Count specifies the required number of entries that must match.
3384 // If the count is null, all entries must match
3385 // (a logical AND). If the count is 1, at least one entry must
3386 // match (a logical OR). If the count contains a
3387 // value N, then N must be less than or equal to the size of
3388 // entries, and at least N entries must match.
3389 "count"?: int & >=1
3390
3391 // Entries contains the available attestors. An attestor can be a
3392 // static key,
3393 // attributes for keyless verification, or a nested attestor
3394 // declaration.
3395 "entries"?: [...{
3396 // Annotations are used for image verification.
3397 // Every specified key-value pair must exist and match in the
3398 // verified payload.
3399 // The payload may contain other key-value pairs.
3400 "annotations"?: [string]: string
3401
3402 // Attestor is a nested set of Attestor used to specify a more
3403 // complex set of match authorities.
3404 "attestor"?: null | bool | number | string | [...] | {
3405 ...
3406 }
3407
3408 // Certificates specifies one or more certificates.
3409 "certificates"?: {
3410 // Cert is an optional PEM-encoded public certificate.
3411 "cert"?: string
3412
3413 // CertChain is an optional PEM encoded set of certificates used
3414 // to verify.
3415 "certChain"?: string
3416
3417 // CTLog (certificate timestamp log) provides a configuration for
3418 // validation of Signed Certificate
3419 // Timestamps (SCTs). If the value is unset, the default behavior
3420 // by Cosign is used.
3421 "ctlog"?: {
3422 // IgnoreSCT defines whether to use the Signed Certificate
3423 // Timestamp (SCT) log to check for a certificate
3424 // timestamp. Default is false. Set to true if this was opted out
3425 // during signing.
3426 "ignoreSCT"?: bool
3427
3428 // PubKey, if set, is used to validate SCTs against a custom
3429 // source.
3430 "pubkey"?: string
3431
3432 // TSACertChain, if set, is the PEM-encoded certificate chain file
3433 // for the RFC3161 timestamp authority. Must
3434 // contain the root CA certificate. Optionally may contain
3435 // intermediate CA certificates, and
3436 // may contain the leaf TSA certificate if not present in the
3437 // timestamurce.
3438 "tsaCertChain"?: string
3439 }
3440
3441 // Rekor provides configuration for the Rekor transparency log
3442 // service. If an empty object
3443 // is provided the public instance of Rekor
3444 // (https://rekor.sigstore.dev) is used.
3445 "rekor"?: {
3446 // IgnoreTlog skips transparency log verification.
3447 "ignoreTlog"?: bool
3448
3449 // RekorPubKey is an optional PEM-encoded public key to use for a
3450 // custom Rekor.
3451 // If set, this will be used to validate transparency log
3452 // signatures from a custom Rekor.
3453 "pubkey"?: string
3454
3455 // URL is the address of the transparency log. Defaults to the
3456 // public Rekor log instance https://rekor.sigstore.dev.
3457 "url"?: string
3458 }
3459 }
3460
3461 // Keyless is a set of attribute used to verify a Sigstore keyless
3462 // attestor.
3463 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3464 "keyless"?: {
3465 // AdditionalExtensions are certificate-extensions used for
3466 // keyless signing.
3467 "additionalExtensions"?: [string]: string
3468
3469 // CTLog (certificate timestamp log) provides a configuration for
3470 // validation of Signed Certificate
3471 // Timestamps (SCTs). If the value is unset, the default behavior
3472 // by Cosign is used.
3473 "ctlog"?: {
3474 // IgnoreSCT defines whether to use the Signed Certificate
3475 // Timestamp (SCT) log to check for a certificate
3476 // timestamp. Default is false. Set to true if this was opted out
3477 // during signing.
3478 "ignoreSCT"?: bool
3479
3480 // PubKey, if set, is used to validate SCTs against a custom
3481 // source.
3482 "pubkey"?: string
3483
3484 // TSACertChain, if set, is the PEM-encoded certificate chain file
3485 // for the RFC3161 timestamp authority. Must
3486 // contain the root CA certificate. Optionally may contain
3487 // intermediate CA certificates, and
3488 // may contain the leaf TSA certificate if not present in the
3489 // timestamurce.
3490 "tsaCertChain"?: string
3491 }
3492
3493 // Issuer is the certificate issuer used for keyless signing.
3494 "issuer"?: string
3495
3496 // IssuerRegExp is the regular expression to match certificate
3497 // issuer used for keyless signing.
3498 "issuerRegExp"?: string
3499
3500 // Rekor provides configuration for the Rekor transparency log
3501 // service. If an empty object
3502 // is provided the public instance of Rekor
3503 // (https://rekor.sigstore.dev) is used.
3504 "rekor"?: {
3505 // IgnoreTlog skips transparency log verification.
3506 "ignoreTlog"?: bool
3507
3508 // RekorPubKey is an optional PEM-encoded public key to use for a
3509 // custom Rekor.
3510 // If set, this will be used to validate transparency log
3511 // signatures from a custom Rekor.
3512 "pubkey"?: string
3513
3514 // URL is the address of the transparency log. Defaults to the
3515 // public Rekor log instance https://rekor.sigstore.dev.
3516 "url"?: string
3517 }
3518
3519 // Roots is an optional set of PEM encoded trusted root
3520 // certificates.
3521 // If not provided, the system roots are used.
3522 "roots"?: string
3523
3524 // Subject is the verified identity used for keyless signing, for
3525 // example the email address.
3526 "subject"?: string
3527
3528 // SubjectRegExp is the regular expression to match identity used
3529 // for keyless signing, for example the email address.
3530 "subjectRegExp"?: string
3531 }
3532
3533 // Keys specifies one or more public keys.
3534 "keys"?: {
3535 // CTLog (certificate timestamp log) provides a configuration for
3536 // validation of Signed Certificate
3537 // Timestamps (SCTs). If the value is unset, the default behavior
3538 // by Cosign is used.
3539 "ctlog"?: {
3540 // IgnoreSCT defines whether to use the Signed Certificate
3541 // Timestamp (SCT) log to check for a certificate
3542 // timestamp. Default is false. Set to true if this was opted out
3543 // during signing.
3544 "ignoreSCT"?: bool
3545
3546 // PubKey, if set, is used to validate SCTs against a custom
3547 // source.
3548 "pubkey"?: string
3549
3550 // TSACertChain, if set, is the PEM-encoded certificate chain file
3551 // for the RFC3161 timestamp authority. Must
3552 // contain the root CA certificate. Optionally may contain
3553 // intermediate CA certificates, and
3554 // may contain the leaf TSA certificate if not present in the
3555 // timestamurce.
3556 "tsaCertChain"?: string
3557 }
3558
3559 // KMS provides the URI to the public key stored in a Key
3560 // Management System. See:
3561 // https://github.com/sigstore/cosign/blob/main/KMS.md
3562 "kms"?: string
3563
3564 // Keys is a set of X.509 public keys used to verify image
3565 // signatures. The keys can be directly
3566 // specified or can be a variable reference to a key specified in
3567 // a ConfigMap (see
3568 // https://kyverno.io/docs/writing-policies/variables/), or
3569 // reference a standard Kubernetes Secret
3570 // elsewhere in the cluster by specifying it in the format
3571 // "k8s://<namespace>/<secret_name>".
3572 // The named Secret must specify a key `cosign.pub` containing the
3573 // public key used for
3574 // verification, (see
3575 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3576 // When multiple keys are specified each key is processed as a
3577 // separate staticKey entry
3578 // (.attestors[*].entries.keys) within the set of attestors and
3579 // the count is applied across the keys.
3580 "publicKeys"?: string
3581
3582 // Rekor provides configuration for the Rekor transparency log
3583 // service. If an empty object
3584 // is provided the public instance of Rekor
3585 // (https://rekor.sigstore.dev) is used.
3586 "rekor"?: {
3587 // IgnoreTlog skips transparency log verification.
3588 "ignoreTlog"?: bool
3589
3590 // RekorPubKey is an optional PEM-encoded public key to use for a
3591 // custom Rekor.
3592 // If set, this will be used to validate transparency log
3593 // signatures from a custom Rekor.
3594 "pubkey"?: string
3595
3596 // URL is the address of the transparency log. Defaults to the
3597 // public Rekor log instance https://rekor.sigstore.dev.
3598 "url"?: string
3599 }
3600
3601 // Reference to a Secret resource that contains a public key
3602 "secret"?: {
3603 // Name of the secret. The provided secret must contain a key
3604 // named cosign.pub.
3605 "name"!: string
3606
3607 // Namespace name where the Secret exists.
3608 "namespace"!: string
3609 }
3610
3611 // Deprecated. Use attestor.signatureAlgorithm instead.
3612 "signatureAlgorithm"?: string
3613 }
3614
3615 // Repository is an optional alternate OCI repository to use for
3616 // signatures and attestations that match this rule.
3617 // If specified Repository will override other OCI image
3618 // repository locations for this Attestor.
3619 "repository"?: string
3620
3621 // Specify signature algorithm for public keys. Supported values
3622 // are sha224, sha256, sha384 and sha512.
3623 "signatureAlgorithm"?: string
3624 }]
3625 }]
3626
3627 // Conditions are used to verify attributes within a Predicate. If
3628 // no Conditions are specified
3629 // the attestation check is satisfied as long there are predicates
3630 // that match the predicate type.
3631 "conditions"?: [...{
3632 // AllConditions enable variable-based conditional rule execution.
3633 // This is useful for
3634 // finer control of when an rule is applied. A condition can
3635 // reference object data
3636 // using JMESPath notation.
3637 // Here, all of the conditions need to pass
3638 "all"?: [...{
3639 // Key is the context entry (using JMESPath) for conditional rule
3640 // evaluation.
3641 "key"?: null | bool | number | string | [...] | {
3642 ...
3643 }
3644
3645 // Message is an optional display message
3646 "message"?: string
3647
3648 // Operator is the conditional operation to perform. Valid
3649 // operators are:
3650 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3651 // GreaterThanOrEquals,
3652 // GreaterThan, LessThanOrEquals, LessThan,
3653 // DurationGreaterThanOrEquals, DurationGreaterThan,
3654 // DurationLessThanOrEquals, DurationLessThan
3655 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3656
3657 // Value is the conditional value, or set of values. The values
3658 // can be fixed set
3659 // or can be variables declared using JMESPath.
3660 "value"?: null | bool | number | string | [...] | {
3661 ...
3662 }
3663 }]
3664
3665 // AnyConditions enable variable-based conditional rule execution.
3666 // This is useful for
3667 // finer control of when an rule is applied. A condition can
3668 // reference object data
3669 // using JMESPath notation.
3670 // Here, at least one of the conditions need to pass
3671 "any"?: [...{
3672 // Key is the context entry (using JMESPath) for conditional rule
3673 // evaluation.
3674 "key"?: null | bool | number | string | [...] | {
3675 ...
3676 }
3677
3678 // Message is an optional display message
3679 "message"?: string
3680
3681 // Operator is the conditional operation to perform. Valid
3682 // operators are:
3683 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3684 // GreaterThanOrEquals,
3685 // GreaterThan, LessThanOrEquals, LessThan,
3686 // DurationGreaterThanOrEquals, DurationGreaterThan,
3687 // DurationLessThanOrEquals, DurationLessThan
3688 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3689
3690 // Value is the conditional value, or set of values. The values
3691 // can be fixed set
3692 // or can be variables declared using JMESPath.
3693 "value"?: null | bool | number | string | [...] | {
3694 ...
3695 }
3696 }]
3697 }]
3698
3699 // Name is the variable name.
3700 "name"?: string
3701
3702 // Deprecated in favour of 'Type', to be removed soon
3703 "predicateType"?: string
3704
3705 // Type defines the type of attestation contained within the
3706 // Statement.
3707 "type"?: string
3708 }]
3709
3710 // Attestors specified the required attestors (i.e. authorities)
3711 "attestors"?: [...{
3712 // Count specifies the required number of entries that must match.
3713 // If the count is null, all entries must match
3714 // (a logical AND). If the count is 1, at least one entry must
3715 // match (a logical OR). If the count contains a
3716 // value N, then N must be less than or equal to the size of
3717 // entries, and at least N entries must match.
3718 "count"?: int & >=1
3719
3720 // Entries contains the available attestors. An attestor can be a
3721 // static key,
3722 // attributes for keyless verification, or a nested attestor
3723 // declaration.
3724 "entries"?: [...{
3725 // Annotations are used for image verification.
3726 // Every specified key-value pair must exist and match in the
3727 // verified payload.
3728 // The payload may contain other key-value pairs.
3729 "annotations"?: [string]: string
3730
3731 // Attestor is a nested set of Attestor used to specify a more
3732 // complex set of match authorities.
3733 "attestor"?: null | bool | number | string | [...] | {
3734 ...
3735 }
3736
3737 // Certificates specifies one or more certificates.
3738 "certificates"?: {
3739 // Cert is an optional PEM-encoded public certificate.
3740 "cert"?: string
3741
3742 // CertChain is an optional PEM encoded set of certificates used
3743 // to verify.
3744 "certChain"?: string
3745
3746 // CTLog (certificate timestamp log) provides a configuration for
3747 // validation of Signed Certificate
3748 // Timestamps (SCTs). If the value is unset, the default behavior
3749 // by Cosign is used.
3750 "ctlog"?: {
3751 // IgnoreSCT defines whether to use the Signed Certificate
3752 // Timestamp (SCT) log to check for a certificate
3753 // timestamp. Default is false. Set to true if this was opted out
3754 // during signing.
3755 "ignoreSCT"?: bool
3756
3757 // PubKey, if set, is used to validate SCTs against a custom
3758 // source.
3759 "pubkey"?: string
3760
3761 // TSACertChain, if set, is the PEM-encoded certificate chain file
3762 // for the RFC3161 timestamp authority. Must
3763 // contain the root CA certificate. Optionally may contain
3764 // intermediate CA certificates, and
3765 // may contain the leaf TSA certificate if not present in the
3766 // timestamurce.
3767 "tsaCertChain"?: string
3768 }
3769
3770 // Rekor provides configuration for the Rekor transparency log
3771 // service. If an empty object
3772 // is provided the public instance of Rekor
3773 // (https://rekor.sigstore.dev) is used.
3774 "rekor"?: {
3775 // IgnoreTlog skips transparency log verification.
3776 "ignoreTlog"?: bool
3777
3778 // RekorPubKey is an optional PEM-encoded public key to use for a
3779 // custom Rekor.
3780 // If set, this will be used to validate transparency log
3781 // signatures from a custom Rekor.
3782 "pubkey"?: string
3783
3784 // URL is the address of the transparency log. Defaults to the
3785 // public Rekor log instance https://rekor.sigstore.dev.
3786 "url"?: string
3787 }
3788 }
3789
3790 // Keyless is a set of attribute used to verify a Sigstore keyless
3791 // attestor.
3792 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3793 "keyless"?: {
3794 // AdditionalExtensions are certificate-extensions used for
3795 // keyless signing.
3796 "additionalExtensions"?: [string]: string
3797
3798 // CTLog (certificate timestamp log) provides a configuration for
3799 // validation of Signed Certificate
3800 // Timestamps (SCTs). If the value is unset, the default behavior
3801 // by Cosign is used.
3802 "ctlog"?: {
3803 // IgnoreSCT defines whether to use the Signed Certificate
3804 // Timestamp (SCT) log to check for a certificate
3805 // timestamp. Default is false. Set to true if this was opted out
3806 // during signing.
3807 "ignoreSCT"?: bool
3808
3809 // PubKey, if set, is used to validate SCTs against a custom
3810 // source.
3811 "pubkey"?: string
3812
3813 // TSACertChain, if set, is the PEM-encoded certificate chain file
3814 // for the RFC3161 timestamp authority. Must
3815 // contain the root CA certificate. Optionally may contain
3816 // intermediate CA certificates, and
3817 // may contain the leaf TSA certificate if not present in the
3818 // timestamurce.
3819 "tsaCertChain"?: string
3820 }
3821
3822 // Issuer is the certificate issuer used for keyless signing.
3823 "issuer"?: string
3824
3825 // IssuerRegExp is the regular expression to match certificate
3826 // issuer used for keyless signing.
3827 "issuerRegExp"?: string
3828
3829 // Rekor provides configuration for the Rekor transparency log
3830 // service. If an empty object
3831 // is provided the public instance of Rekor
3832 // (https://rekor.sigstore.dev) is used.
3833 "rekor"?: {
3834 // IgnoreTlog skips transparency log verification.
3835 "ignoreTlog"?: bool
3836
3837 // RekorPubKey is an optional PEM-encoded public key to use for a
3838 // custom Rekor.
3839 // If set, this will be used to validate transparency log
3840 // signatures from a custom Rekor.
3841 "pubkey"?: string
3842
3843 // URL is the address of the transparency log. Defaults to the
3844 // public Rekor log instance https://rekor.sigstore.dev.
3845 "url"?: string
3846 }
3847
3848 // Roots is an optional set of PEM encoded trusted root
3849 // certificates.
3850 // If not provided, the system roots are used.
3851 "roots"?: string
3852
3853 // Subject is the verified identity used for keyless signing, for
3854 // example the email address.
3855 "subject"?: string
3856
3857 // SubjectRegExp is the regular expression to match identity used
3858 // for keyless signing, for example the email address.
3859 "subjectRegExp"?: string
3860 }
3861
3862 // Keys specifies one or more public keys.
3863 "keys"?: {
3864 // CTLog (certificate timestamp log) provides a configuration for
3865 // validation of Signed Certificate
3866 // Timestamps (SCTs). If the value is unset, the default behavior
3867 // by Cosign is used.
3868 "ctlog"?: {
3869 // IgnoreSCT defines whether to use the Signed Certificate
3870 // Timestamp (SCT) log to check for a certificate
3871 // timestamp. Default is false. Set to true if this was opted out
3872 // during signing.
3873 "ignoreSCT"?: bool
3874
3875 // PubKey, if set, is used to validate SCTs against a custom
3876 // source.
3877 "pubkey"?: string
3878
3879 // TSACertChain, if set, is the PEM-encoded certificate chain file
3880 // for the RFC3161 timestamp authority. Must
3881 // contain the root CA certificate. Optionally may contain
3882 // intermediate CA certificates, and
3883 // may contain the leaf TSA certificate if not present in the
3884 // timestamurce.
3885 "tsaCertChain"?: string
3886 }
3887
3888 // KMS provides the URI to the public key stored in a Key
3889 // Management System. See:
3890 // https://github.com/sigstore/cosign/blob/main/KMS.md
3891 "kms"?: string
3892
3893 // Keys is a set of X.509 public keys used to verify image
3894 // signatures. The keys can be directly
3895 // specified or can be a variable reference to a key specified in
3896 // a ConfigMap (see
3897 // https://kyverno.io/docs/writing-policies/variables/), or
3898 // reference a standard Kubernetes Secret
3899 // elsewhere in the cluster by specifying it in the format
3900 // "k8s://<namespace>/<secret_name>".
3901 // The named Secret must specify a key `cosign.pub` containing the
3902 // public key used for
3903 // verification, (see
3904 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3905 // When multiple keys are specified each key is processed as a
3906 // separate staticKey entry
3907 // (.attestors[*].entries.keys) within the set of attestors and
3908 // the count is applied across the keys.
3909 "publicKeys"?: string
3910
3911 // Rekor provides configuration for the Rekor transparency log
3912 // service. If an empty object
3913 // is provided the public instance of Rekor
3914 // (https://rekor.sigstore.dev) is used.
3915 "rekor"?: {
3916 // IgnoreTlog skips transparency log verification.
3917 "ignoreTlog"?: bool
3918
3919 // RekorPubKey is an optional PEM-encoded public key to use for a
3920 // custom Rekor.
3921 // If set, this will be used to validate transparency log
3922 // signatures from a custom Rekor.
3923 "pubkey"?: string
3924
3925 // URL is the address of the transparency log. Defaults to the
3926 // public Rekor log instance https://rekor.sigstore.dev.
3927 "url"?: string
3928 }
3929
3930 // Reference to a Secret resource that contains a public key
3931 "secret"?: {
3932 // Name of the secret. The provided secret must contain a key
3933 // named cosign.pub.
3934 "name"!: string
3935
3936 // Namespace name where the Secret exists.
3937 "namespace"!: string
3938 }
3939
3940 // Deprecated. Use attestor.signatureAlgorithm instead.
3941 "signatureAlgorithm"?: string
3942 }
3943
3944 // Repository is an optional alternate OCI repository to use for
3945 // signatures and attestations that match this rule.
3946 // If specified Repository will override other OCI image
3947 // repository locations for this Attestor.
3948 "repository"?: string
3949
3950 // Specify signature algorithm for public keys. Supported values
3951 // are sha224, sha256, sha384 and sha512.
3952 "signatureAlgorithm"?: string
3953 }]
3954 }]
3955
3956 // CosignOCI11 enables the experimental OCI 1.1 behaviour in
3957 // cosign image verification.
3958 // Defaults to false.
3959 "cosignOCI11"?: bool
3960
3961 // Allowed values are Audit or Enforce.
3962 "failureAction"?: "Audit" | "Enforce"
3963
3964 // Deprecated. Use ImageReferences instead.
3965 "image"?: string
3966
3967 // ImageReferences is a list of matching image reference patterns.
3968 // At least one pattern in the
3969 // list must match the image for the rule to apply. Each image
3970 // reference consists of a registry
3971 // address (defaults to docker.io), repository, image, and tag
3972 // (defaults to latest).
3973 // Wildcards ('*' and '?') are allowed. See:
3974 // https://kubernetes.io/docs/concepts/containers/images.
3975 "imageReferences"?: [...string]
3976
3977 // ImageRegistryCredentials provides credentials that will be used
3978 // for authentication with registry.
3979 "imageRegistryCredentials"?: {
3980 // AllowInsecureRegistry allows insecure access to a registry.
3981 "allowInsecureRegistry"?: bool
3982
3983 // Providers specifies a list of OCI Registry names, whose
3984 // authentication providers are provided.
3985 // It can be of one of these values:
3986 // default,google,azure,amazon,github.
3987 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3988
3989 // Secrets specifies a list of secrets that are provided for
3990 // credentials.
3991 // Secrets must live in the Kyverno namespace.
3992 "secrets"?: [...string]
3993 }
3994
3995 // Deprecated. Use KeylessAttestor instead.
3996 "issuer"?: string
3997
3998 // Deprecated. Use StaticKeyAttestor instead.
3999 "key"?: string
4000
4001 // MutateDigest enables replacement of image tags with digests.
4002 // Defaults to true.
4003 "mutateDigest"?: bool
4004
4005 // Repository is an optional alternate OCI repository to use for
4006 // image signatures and attestations that match this rule.
4007 // If specified Repository will override the default OCI image
4008 // repository configured for the installation.
4009 // The repository can also be overridden per Attestor or
4010 // Attestation.
4011 "repository"?: string
4012
4013 // Required validates that images are verified i.e. have matched
4014 // passed a signature or attestation check.
4015 "required"?: bool
4016
4017 // Deprecated. Use KeylessAttestor instead.
4018 "roots"?: string
4019
4020 // SkipImageReferences is a list of matching image reference
4021 // patterns that should be skipped.
4022 // At least one pattern in the list must match the image for the
4023 // rule to be skipped. Each image reference
4024 // consists of a registry address (defaults to docker.io),
4025 // repository, image, and tag (defaults to latest).
4026 // Wildcards ('*' and '?') are allowed. See:
4027 // https://kubernetes.io/docs/concepts/containers/images.
4028 "skipImageReferences"?: [...string]
4029
4030 // Deprecated. Use KeylessAttestor instead.
4031 "subject"?: string
4032
4033 // Type specifies the method of signature validation. The allowed
4034 // options
4035 // are Cosign, Sigstore Bundle and Notary. By default Cosign is
4036 // used if a type is not specified.
4037 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
4038
4039 // UseCache enables caching of image verify responses for this
4040 // rule.
4041 "useCache"?: bool
4042
4043 // Validation checks conditions across multiple image
4044 // verification attestations or context entries
4045 "validate"?: {
4046 // Deny defines conditions used to pass or fail a validation rule.
4047 "deny"?: {
4048 // Multiple conditions can be declared under an `any` or `all`
4049 // statement. A direct list
4050 // of conditions (without `any` or `all` statements) is also
4051 // supported for backwards compatibility
4052 // but will be deprecated in the next major release.
4053 // See:
4054 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
4055 "conditions"?: null | bool | number | string | [...] | {
4056 ...
4057 }
4058 }
4059
4060 // Message specifies a custom message to be displayed on failure.
4061 "message"?: string
4062 }
4063
4064 // VerifyDigest validates that images have a digest.
4065 "verifyDigest"?: bool
4066 }]
4067 }]
4068
4069 // Deprecated.
4070 "schemaValidation"?: bool
4071
4072 // UseServerSideApply controls whether to use server-side apply
4073 // for generate rules
4074 // If is set to "true" create & update for generate rules will use
4075 // apply instead of create/update.
4076 // Defaults to "false" if not specified.
4077 "useServerSideApply"?: bool
4078
4079 // Deprecated, use validationFailureAction under the validate rule
4080 // instead.
4081 "validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
4082
4083 // Deprecated, use validationFailureActionOverrides under the
4084 // validate rule instead.
4085 "validationFailureActionOverrides"?: [...{
4086 // ValidationFailureAction defines the policy validation failure
4087 // action
4088 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
4089
4090 // A label selector is a label query over a set of resources. The
4091 // result of matchLabels and
4092 // matchExpressions are ANDed. An empty label selector matches all
4093 // objects. A null
4094 // label selector matches no objects.
4095 "namespaceSelector"?: {
4096 // matchExpressions is a list of label selector requirements. The
4097 // requirements are ANDed.
4098 "matchExpressions"?: [...{
4099 // key is the label key that the selector applies to.
4100 "key"!: string
4101
4102 // operator represents a key's relationship to a set of values.
4103 // Valid operators are In, NotIn, Exists and DoesNotExist.
4104 "operator"!: string
4105
4106 // values is an array of string values. If the operator is In or
4107 // NotIn,
4108 // the values array must be non-empty. If the operator is Exists
4109 // or DoesNotExist,
4110 // the values array must be empty. This array is replaced during a
4111 // strategic
4112 // merge patch.
4113 "values"?: [...string]
4114 }]
4115
4116 // matchLabels is a map of {key,value} pairs. A single {key,value}
4117 // in the matchLabels
4118 // map is equivalent to an element of matchExpressions, whose key
4119 // field is "key", the
4120 // operator is "In", and the values array contains only "value".
4121 // The requirements are ANDed.
4122 "matchLabels"?: {
4123 [string]: string
4124 }
4125 }
4126 "namespaces"?: [...string]
4127 }]
4128
4129 // WebhookConfiguration specifies the custom configuration for
4130 // Kubernetes admission webhookconfiguration.
4131 "webhookConfiguration"?: {
4132 // FailurePolicy defines how unexpected policy errors and webhook
4133 // response timeout errors are handled.
4134 // Rules within the same policy share the same failure behavior.
4135 // This field should not be accessed directly, instead
4136 // `GetFailurePolicy()` should be used.
4137 // Allowed values are Ignore or Fail. Defaults to Fail.
4138 "failurePolicy"?: "Ignore" | "Fail"
4139
4140 // MatchCondition configures admission webhook matchConditions.
4141 // Requires Kubernetes 1.27 or later.
4142 "matchConditions"?: [...{
4143 // Expression represents the expression which will be evaluated by
4144 // CEL. Must evaluate to bool.
4145 // CEL expressions have access to the contents of the
4146 // AdmissionRequest and Authorizer, organized into CEL variables:
4147 //
4148 // 'object' - The object from the incoming request. The value is
4149 // null for DELETE requests.
4150 // 'oldObject' - The existing object. The value is null for CREATE
4151 // requests.
4152 // 'request' - Attributes of the admission
4153 // request(/pkg/apis/admission/types.go#AdmissionRequest).
4154 // 'authorizer' - A CEL Authorizer. May be used to perform
4155 // authorization checks for the principal (user or service
4156 // account) of the request.
4157 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4158 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
4159 // from the 'authorizer' and configured with the
4160 // request resource.
4161 // Documentation on CEL:
4162 // https://kubernetes.io/docs/reference/using-api/cel/
4163 //
4164 // Required.
4165 "expression"!: string
4166
4167 // Name is an identifier for this match condition, used for
4168 // strategic merging of MatchConditions,
4169 // as well as providing an identifier for logging purposes. A good
4170 // name should be descriptive of
4171 // the associated expression.
4172 // Name must be a qualified name consisting of alphanumeric
4173 // characters, '-', '_' or '.', and
4174 // must start and end with an alphanumeric character (e.g.
4175 // 'MyName', or 'my.name', or
4176 // '123-abc', regex used for validation is
4177 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4178 // optional DNS subdomain prefix and '/' (e.g.
4179 // 'example.com/MyName')
4180 //
4181 // Required.
4182 "name"!: string
4183 }]
4184
4185 // TimeoutSeconds specifies the maximum time in seconds allowed to
4186 // apply this policy.
4187 // After the configured time expires, the admission request may
4188 // fail, or may simply ignore the policy results,
4189 // based on the failure policy. The default timeout is 10s, the
4190 // value must be between 1 and 30 seconds.
4191 "timeoutSeconds"?: int32 & int
4192 }
4193
4194 // Deprecated, use webhookTimeoutSeconds under
4195 // webhookConfiguration instead.
4196 "webhookTimeoutSeconds"?: int32 & int
4197 }
4198
4199 // Status contains policy runtime data.
4200 "status"?: {
4201 // AutogenStatus contains autogen status information.
4202 "autogen"?: {
4203 // Rules is a list of Rule instances. It contains auto generated
4204 // rules added for pod controllers
4205 "rules"?: [...{
4206 // CELPreconditions are used to determine if a policy rule should
4207 // be applied by evaluating a
4208 // set of CEL conditions. It can only be used with the
4209 // validate.cel subrule
4210 "celPreconditions"?: [...{
4211 // Expression represents the expression which will be evaluated by
4212 // CEL. Must evaluate to bool.
4213 // CEL expressions have access to the contents of the
4214 // AdmissionRequest and Authorizer, organized into CEL variables:
4215 //
4216 // 'object' - The object from the incoming request. The value is
4217 // null for DELETE requests.
4218 // 'oldObject' - The existing object. The value is null for CREATE
4219 // requests.
4220 // 'request' - Attributes of the admission
4221 // request(/pkg/apis/admission/types.go#AdmissionRequest).
4222 // 'authorizer' - A CEL Authorizer. May be used to perform
4223 // authorization checks for the principal (user or service
4224 // account) of the request.
4225 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4226 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
4227 // from the 'authorizer' and configured with the
4228 // request resource.
4229 // Documentation on CEL:
4230 // https://kubernetes.io/docs/reference/using-api/cel/
4231 //
4232 // Required.
4233 "expression"!: string
4234
4235 // Name is an identifier for this match condition, used for
4236 // strategic merging of MatchConditions,
4237 // as well as providing an identifier for logging purposes. A good
4238 // name should be descriptive of
4239 // the associated expression.
4240 // Name must be a qualified name consisting of alphanumeric
4241 // characters, '-', '_' or '.', and
4242 // must start and end with an alphanumeric character (e.g.
4243 // 'MyName', or 'my.name', or
4244 // '123-abc', regex used for validation is
4245 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4246 // optional DNS subdomain prefix and '/' (e.g.
4247 // 'example.com/MyName')
4248 //
4249 // Required.
4250 "name"!: string
4251 }]
4252
4253 // Context defines variables and data sources that can be used
4254 // during rule execution.
4255 "context"?: [...matchN(1, [{
4256 "configMap"!: _
4257 }, {
4258 "apiCall"!: _
4259 }, {
4260 "imageRegistry"!: _
4261 }, {
4262 "variable"!: _
4263 }, {
4264 "globalReference"!: _
4265 }]) & {
4266 // APICall is an HTTP request to the Kubernetes API server, or
4267 // other JSON web service.
4268 // The data returned is stored in the context with the name for
4269 // the context entry.
4270 "apiCall"?: {
4271 // The data object specifies the POST data sent to the server.
4272 // Only applicable when the method field is set to POST.
4273 "data"?: [...{
4274 // Key is a unique identifier for the data value
4275 "key"!: string
4276
4277 // Value is the data value
4278 "value"!: null | bool | number | string | [...] | {
4279 ...
4280 }
4281 }]
4282
4283 // Default is an optional arbitrary JSON object that the context
4284 // value is set to, if the apiCall returns error.
4285 "default"?: null | bool | number | string | [...] | {
4286 ...
4287 }
4288
4289 // JMESPath is an optional JSON Match Expression that can be used
4290 // to
4291 // transform the JSON response returned from the server. For
4292 // example
4293 // a JMESPath of "items | length(@)" applied to the API server
4294 // response
4295 // for the URLPath "/apis/apps/v1/deployments" will return the
4296 // total count
4297 // of deployments across all namespaces.
4298 "jmesPath"?: string
4299
4300 // Method is the HTTP request type (GET or POST). Defaults to GET.
4301 "method"?: "GET" | "POST"
4302
4303 // Service is an API call to a JSON web service.
4304 // This is used for non-Kubernetes API server calls.
4305 // It's mutually exclusive with the URLPath field.
4306 "service"?: {
4307 // CABundle is a PEM encoded CA bundle which will be used to
4308 // validate
4309 // the server certificate.
4310 "caBundle"?: string
4311
4312 // Headers is a list of optional HTTP headers to be included in
4313 // the request.
4314 "headers"?: [...{
4315 // Key is the header key
4316 "key"!: string
4317
4318 // Value is the header value
4319 "value"!: string
4320 }]
4321
4322 // URL is the JSON web service URL. A typical form is
4323 // `https://{service}.{namespace}:{port}/{path}`.
4324 "url"!: string
4325 }
4326
4327 // URLPath is the URL path to be used in the HTTP GET or POST
4328 // request to the
4329 // Kubernetes API server (e.g. "/api/v1/namespaces" or
4330 // "/apis/apps/v1/deployments").
4331 // The format required is the same format used by the `kubectl get
4332 // --raw` command.
4333 // See
4334 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4335 // for details.
4336 // It's mutually exclusive with the Service field.
4337 "urlPath"?: string
4338 }
4339
4340 // ConfigMap is the ConfigMap reference.
4341 "configMap"?: {
4342 // Name is the ConfigMap name.
4343 "name"!: string
4344
4345 // Namespace is the ConfigMap namespace.
4346 "namespace"?: string
4347 }
4348
4349 // GlobalContextEntryReference is a reference to a cached global
4350 // context entry.
4351 "globalReference"?: {
4352 // JMESPath is an optional JSON Match Expression that can be used
4353 // to
4354 // transform the JSON response returned from the server. For
4355 // example
4356 // a JMESPath of "items | length(@)" applied to the API server
4357 // response
4358 // for the URLPath "/apis/apps/v1/deployments" will return the
4359 // total count
4360 // of deployments across all namespaces.
4361 "jmesPath"?: string
4362
4363 // Name of the global context entry
4364 "name"!: string
4365 }
4366
4367 // ImageRegistry defines requests to an OCI/Docker V2 registry to
4368 // fetch image
4369 // details.
4370 "imageRegistry"?: {
4371 // ImageRegistryCredentials provides credentials that will be used
4372 // for authentication with registry
4373 "imageRegistryCredentials"?: {
4374 // AllowInsecureRegistry allows insecure access to a registry.
4375 "allowInsecureRegistry"?: bool
4376
4377 // Providers specifies a list of OCI Registry names, whose
4378 // authentication providers are provided.
4379 // It can be of one of these values:
4380 // default,google,azure,amazon,github.
4381 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4382
4383 // Secrets specifies a list of secrets that are provided for
4384 // credentials.
4385 // Secrets must live in the Kyverno namespace.
4386 "secrets"?: [...string]
4387 }
4388
4389 // JMESPath is an optional JSON Match Expression that can be used
4390 // to
4391 // transform the ImageData struct returned as a result of
4392 // processing
4393 // the image reference.
4394 "jmesPath"?: string
4395
4396 // Reference is image reference to a container image in the
4397 // registry.
4398 // Example: ghcr.io/kyverno/kyverno:latest
4399 "reference"!: string
4400 }
4401
4402 // Name is the variable name.
4403 "name"!: string
4404
4405 // Variable defines an arbitrary JMESPath context variable that
4406 // can be defined inline.
4407 "variable"?: {
4408 // Default is an optional arbitrary JSON object that the variable
4409 // may take if the JMESPath
4410 // expression evaluates to nil
4411 "default"?: null | bool | number | string | [...] | {
4412 ...
4413 }
4414
4415 // JMESPath is an optional JMESPath Expression that can be used to
4416 // transform the variable.
4417 "jmesPath"?: string
4418
4419 // Value is any arbitrary JSON object representable in YAML or
4420 // JSON form.
4421 "value"?: null | bool | number | string | [...] | {
4422 ...
4423 }
4424 }
4425 }]
4426
4427 // ExcludeResources defines when this policy rule should not be
4428 // applied. The exclude
4429 // criteria can include resource information (e.g. kind, name,
4430 // namespace, labels)
4431 // and admission review request information like the name or role.
4432 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
4433 "any"!: _
4434 "all"!: _
4435 }]) & {
4436 // All allows specifying resources which will be ANDed
4437 "all"?: [...{
4438 // ClusterRoles is the list of cluster-wide role names for the
4439 // user.
4440 "clusterRoles"?: [...string]
4441
4442 // ResourceDescription contains information about the resource
4443 // being created or modified.
4444 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4445 "name"!: _
4446 "names"!: _
4447 }]) & {
4448 // Annotations is a map of annotations (key-value pairs of type
4449 // string). Annotation keys
4450 // and values support the wildcard characters "*" (matches zero or
4451 // many characters) and
4452 // "?" (matches at least one character).
4453 "annotations"?: [string]: string
4454
4455 // Kinds is a list of resource kinds.
4456 "kinds"?: [...string]
4457
4458 // Name is the name of the resource. The name supports wildcard
4459 // characters
4460 // "*" (matches zero or many characters) and "?" (at least one
4461 // character).
4462 // NOTE: "Name" is being deprecated in favor of "Names".
4463 "name"?: string
4464
4465 // Names are the names of the resources. Each name supports
4466 // wildcard characters
4467 // "*" (matches zero or many characters) and "?" (at least one
4468 // character).
4469 "names"?: [...string]
4470
4471 // NamespaceSelector is a label selector for the resource
4472 // namespace. Label keys and values
4473 // in `matchLabels` support the wildcard characters `*` (matches
4474 // zero or many characters)
4475 // and `?` (matches one character).Wildcards allows writing label
4476 // selectors like
4477 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4478 // any key and value but
4479 // does not match an empty label set.
4480 "namespaceSelector"?: {
4481 // matchExpressions is a list of label selector requirements. The
4482 // requirements are ANDed.
4483 "matchExpressions"?: [...{
4484 // key is the label key that the selector applies to.
4485 "key"!: string
4486
4487 // operator represents a key's relationship to a set of values.
4488 // Valid operators are In, NotIn, Exists and DoesNotExist.
4489 "operator"!: string
4490
4491 // values is an array of string values. If the operator is In or
4492 // NotIn,
4493 // the values array must be non-empty. If the operator is Exists
4494 // or DoesNotExist,
4495 // the values array must be empty. This array is replaced during a
4496 // strategic
4497 // merge patch.
4498 "values"?: [...string]
4499 }]
4500
4501 // matchLabels is a map of {key,value} pairs. A single {key,value}
4502 // in the matchLabels
4503 // map is equivalent to an element of matchExpressions, whose key
4504 // field is "key", the
4505 // operator is "In", and the values array contains only "value".
4506 // The requirements are ANDed.
4507 "matchLabels"?: {
4508 [string]: string
4509 }
4510 }
4511
4512 // Namespaces is a list of namespaces names. Each name supports
4513 // wildcard characters
4514 // "*" (matches zero or many characters) and "?" (at least one
4515 // character).
4516 "namespaces"?: [...string]
4517
4518 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4519 // "DELETE"], which are used to match a specific action.
4520 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4521
4522 // Selector is a label selector. Label keys and values in
4523 // `matchLabels` support the wildcard
4524 // characters `*` (matches zero or many characters) and `?`
4525 // (matches one character).
4526 // Wildcards allows writing label selectors like
4527 // ["storage.k8s.io/*": "*"]. Note that
4528 // using ["*" : "*"] matches any key and value but does not match
4529 // an empty label set.
4530 "selector"?: {
4531 // matchExpressions is a list of label selector requirements. The
4532 // requirements are ANDed.
4533 "matchExpressions"?: [...{
4534 // key is the label key that the selector applies to.
4535 "key"!: string
4536
4537 // operator represents a key's relationship to a set of values.
4538 // Valid operators are In, NotIn, Exists and DoesNotExist.
4539 "operator"!: string
4540
4541 // values is an array of string values. If the operator is In or
4542 // NotIn,
4543 // the values array must be non-empty. If the operator is Exists
4544 // or DoesNotExist,
4545 // the values array must be empty. This array is replaced during a
4546 // strategic
4547 // merge patch.
4548 "values"?: [...string]
4549 }]
4550
4551 // matchLabels is a map of {key,value} pairs. A single {key,value}
4552 // in the matchLabels
4553 // map is equivalent to an element of matchExpressions, whose key
4554 // field is "key", the
4555 // operator is "In", and the values array contains only "value".
4556 // The requirements are ANDed.
4557 "matchLabels"?: {
4558 [string]: string
4559 }
4560 }
4561 }
4562
4563 // Roles is the list of namespaced role names for the user.
4564 "roles"?: [...string]
4565
4566 // Subjects is the list of subject names like users, user groups,
4567 // and service accounts.
4568 "subjects"?: [...{
4569 // APIGroup holds the API group of the referenced subject.
4570 // Defaults to "" for ServiceAccount subjects.
4571 // Defaults to "rbac.authorization.k8s.io" for User and Group
4572 // subjects.
4573 "apiGroup"?: string
4574
4575 // Kind of object being referenced. Values defined by this API
4576 // group are "User", "Group", and "ServiceAccount".
4577 // If the Authorizer does not recognized the kind value, the
4578 // Authorizer should report an error.
4579 "kind"!: string
4580
4581 // Name of the object being referenced.
4582 "name"!: string
4583
4584 // Namespace of the referenced object. If the object kind is
4585 // non-namespace, such as "User" or "Group", and this value is
4586 // not empty
4587 // the Authorizer should report an error.
4588 "namespace"?: string
4589 }]
4590 }]
4591
4592 // Any allows specifying resources which will be ORed
4593 "any"?: [...{
4594 // ClusterRoles is the list of cluster-wide role names for the
4595 // user.
4596 "clusterRoles"?: [...string]
4597
4598 // ResourceDescription contains information about the resource
4599 // being created or modified.
4600 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4601 "name"!: _
4602 "names"!: _
4603 }]) & {
4604 // Annotations is a map of annotations (key-value pairs of type
4605 // string). Annotation keys
4606 // and values support the wildcard characters "*" (matches zero or
4607 // many characters) and
4608 // "?" (matches at least one character).
4609 "annotations"?: [string]: string
4610
4611 // Kinds is a list of resource kinds.
4612 "kinds"?: [...string]
4613
4614 // Name is the name of the resource. The name supports wildcard
4615 // characters
4616 // "*" (matches zero or many characters) and "?" (at least one
4617 // character).
4618 // NOTE: "Name" is being deprecated in favor of "Names".
4619 "name"?: string
4620
4621 // Names are the names of the resources. Each name supports
4622 // wildcard characters
4623 // "*" (matches zero or many characters) and "?" (at least one
4624 // character).
4625 "names"?: [...string]
4626
4627 // NamespaceSelector is a label selector for the resource
4628 // namespace. Label keys and values
4629 // in `matchLabels` support the wildcard characters `*` (matches
4630 // zero or many characters)
4631 // and `?` (matches one character).Wildcards allows writing label
4632 // selectors like
4633 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4634 // any key and value but
4635 // does not match an empty label set.
4636 "namespaceSelector"?: {
4637 // matchExpressions is a list of label selector requirements. The
4638 // requirements are ANDed.
4639 "matchExpressions"?: [...{
4640 // key is the label key that the selector applies to.
4641 "key"!: string
4642
4643 // operator represents a key's relationship to a set of values.
4644 // Valid operators are In, NotIn, Exists and DoesNotExist.
4645 "operator"!: string
4646
4647 // values is an array of string values. If the operator is In or
4648 // NotIn,
4649 // the values array must be non-empty. If the operator is Exists
4650 // or DoesNotExist,
4651 // the values array must be empty. This array is replaced during a
4652 // strategic
4653 // merge patch.
4654 "values"?: [...string]
4655 }]
4656
4657 // matchLabels is a map of {key,value} pairs. A single {key,value}
4658 // in the matchLabels
4659 // map is equivalent to an element of matchExpressions, whose key
4660 // field is "key", the
4661 // operator is "In", and the values array contains only "value".
4662 // The requirements are ANDed.
4663 "matchLabels"?: {
4664 [string]: string
4665 }
4666 }
4667
4668 // Namespaces is a list of namespaces names. Each name supports
4669 // wildcard characters
4670 // "*" (matches zero or many characters) and "?" (at least one
4671 // character).
4672 "namespaces"?: [...string]
4673
4674 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4675 // "DELETE"], which are used to match a specific action.
4676 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4677
4678 // Selector is a label selector. Label keys and values in
4679 // `matchLabels` support the wildcard
4680 // characters `*` (matches zero or many characters) and `?`
4681 // (matches one character).
4682 // Wildcards allows writing label selectors like
4683 // ["storage.k8s.io/*": "*"]. Note that
4684 // using ["*" : "*"] matches any key and value but does not match
4685 // an empty label set.
4686 "selector"?: {
4687 // matchExpressions is a list of label selector requirements. The
4688 // requirements are ANDed.
4689 "matchExpressions"?: [...{
4690 // key is the label key that the selector applies to.
4691 "key"!: string
4692
4693 // operator represents a key's relationship to a set of values.
4694 // Valid operators are In, NotIn, Exists and DoesNotExist.
4695 "operator"!: string
4696
4697 // values is an array of string values. If the operator is In or
4698 // NotIn,
4699 // the values array must be non-empty. If the operator is Exists
4700 // or DoesNotExist,
4701 // the values array must be empty. This array is replaced during a
4702 // strategic
4703 // merge patch.
4704 "values"?: [...string]
4705 }]
4706
4707 // matchLabels is a map of {key,value} pairs. A single {key,value}
4708 // in the matchLabels
4709 // map is equivalent to an element of matchExpressions, whose key
4710 // field is "key", the
4711 // operator is "In", and the values array contains only "value".
4712 // The requirements are ANDed.
4713 "matchLabels"?: {
4714 [string]: string
4715 }
4716 }
4717 }
4718
4719 // Roles is the list of namespaced role names for the user.
4720 "roles"?: [...string]
4721
4722 // Subjects is the list of subject names like users, user groups,
4723 // and service accounts.
4724 "subjects"?: [...{
4725 // APIGroup holds the API group of the referenced subject.
4726 // Defaults to "" for ServiceAccount subjects.
4727 // Defaults to "rbac.authorization.k8s.io" for User and Group
4728 // subjects.
4729 "apiGroup"?: string
4730
4731 // Kind of object being referenced. Values defined by this API
4732 // group are "User", "Group", and "ServiceAccount".
4733 // If the Authorizer does not recognized the kind value, the
4734 // Authorizer should report an error.
4735 "kind"!: string
4736
4737 // Name of the object being referenced.
4738 "name"!: string
4739
4740 // Namespace of the referenced object. If the object kind is
4741 // non-namespace, such as "User" or "Group", and this value is
4742 // not empty
4743 // the Authorizer should report an error.
4744 "namespace"?: string
4745 }]
4746 }]
4747
4748 // ClusterRoles is the list of cluster-wide role names for the
4749 // user.
4750 "clusterRoles"?: [...string]
4751
4752 // ResourceDescription contains information about the resource
4753 // being created or modified.
4754 // Requires at least one tag to be specified when under
4755 // MatchResources.
4756 // Specifying ResourceDescription directly under match is being
4757 // deprecated.
4758 // Please specify under "any" or "all" instead.
4759 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4760 "name"!: _
4761 "names"!: _
4762 }]) & {
4763 // Annotations is a map of annotations (key-value pairs of type
4764 // string). Annotation keys
4765 // and values support the wildcard characters "*" (matches zero or
4766 // many characters) and
4767 // "?" (matches at least one character).
4768 "annotations"?: [string]: string
4769
4770 // Kinds is a list of resource kinds.
4771 "kinds"?: [...string]
4772
4773 // Name is the name of the resource. The name supports wildcard
4774 // characters
4775 // "*" (matches zero or many characters) and "?" (at least one
4776 // character).
4777 // NOTE: "Name" is being deprecated in favor of "Names".
4778 "name"?: string
4779
4780 // Names are the names of the resources. Each name supports
4781 // wildcard characters
4782 // "*" (matches zero or many characters) and "?" (at least one
4783 // character).
4784 "names"?: [...string]
4785
4786 // NamespaceSelector is a label selector for the resource
4787 // namespace. Label keys and values
4788 // in `matchLabels` support the wildcard characters `*` (matches
4789 // zero or many characters)
4790 // and `?` (matches one character).Wildcards allows writing label
4791 // selectors like
4792 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4793 // any key and value but
4794 // does not match an empty label set.
4795 "namespaceSelector"?: {
4796 // matchExpressions is a list of label selector requirements. The
4797 // requirements are ANDed.
4798 "matchExpressions"?: [...{
4799 // key is the label key that the selector applies to.
4800 "key"!: string
4801
4802 // operator represents a key's relationship to a set of values.
4803 // Valid operators are In, NotIn, Exists and DoesNotExist.
4804 "operator"!: string
4805
4806 // values is an array of string values. If the operator is In or
4807 // NotIn,
4808 // the values array must be non-empty. If the operator is Exists
4809 // or DoesNotExist,
4810 // the values array must be empty. This array is replaced during a
4811 // strategic
4812 // merge patch.
4813 "values"?: [...string]
4814 }]
4815
4816 // matchLabels is a map of {key,value} pairs. A single {key,value}
4817 // in the matchLabels
4818 // map is equivalent to an element of matchExpressions, whose key
4819 // field is "key", the
4820 // operator is "In", and the values array contains only "value".
4821 // The requirements are ANDed.
4822 "matchLabels"?: {
4823 [string]: string
4824 }
4825 }
4826
4827 // Namespaces is a list of namespaces names. Each name supports
4828 // wildcard characters
4829 // "*" (matches zero or many characters) and "?" (at least one
4830 // character).
4831 "namespaces"?: [...string]
4832
4833 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4834 // "DELETE"], which are used to match a specific action.
4835 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4836
4837 // Selector is a label selector. Label keys and values in
4838 // `matchLabels` support the wildcard
4839 // characters `*` (matches zero or many characters) and `?`
4840 // (matches one character).
4841 // Wildcards allows writing label selectors like
4842 // ["storage.k8s.io/*": "*"]. Note that
4843 // using ["*" : "*"] matches any key and value but does not match
4844 // an empty label set.
4845 "selector"?: {
4846 // matchExpressions is a list of label selector requirements. The
4847 // requirements are ANDed.
4848 "matchExpressions"?: [...{
4849 // key is the label key that the selector applies to.
4850 "key"!: string
4851
4852 // operator represents a key's relationship to a set of values.
4853 // Valid operators are In, NotIn, Exists and DoesNotExist.
4854 "operator"!: string
4855
4856 // values is an array of string values. If the operator is In or
4857 // NotIn,
4858 // the values array must be non-empty. If the operator is Exists
4859 // or DoesNotExist,
4860 // the values array must be empty. This array is replaced during a
4861 // strategic
4862 // merge patch.
4863 "values"?: [...string]
4864 }]
4865
4866 // matchLabels is a map of {key,value} pairs. A single {key,value}
4867 // in the matchLabels
4868 // map is equivalent to an element of matchExpressions, whose key
4869 // field is "key", the
4870 // operator is "In", and the values array contains only "value".
4871 // The requirements are ANDed.
4872 "matchLabels"?: {
4873 [string]: string
4874 }
4875 }
4876 }
4877
4878 // Roles is the list of namespaced role names for the user.
4879 "roles"?: [...string]
4880
4881 // Subjects is the list of subject names like users, user groups,
4882 // and service accounts.
4883 "subjects"?: [...{
4884 // APIGroup holds the API group of the referenced subject.
4885 // Defaults to "" for ServiceAccount subjects.
4886 // Defaults to "rbac.authorization.k8s.io" for User and Group
4887 // subjects.
4888 "apiGroup"?: string
4889
4890 // Kind of object being referenced. Values defined by this API
4891 // group are "User", "Group", and "ServiceAccount".
4892 // If the Authorizer does not recognized the kind value, the
4893 // Authorizer should report an error.
4894 "kind"!: string
4895
4896 // Name of the object being referenced.
4897 "name"!: string
4898
4899 // Namespace of the referenced object. If the object kind is
4900 // non-namespace, such as "User" or "Group", and this value is
4901 // not empty
4902 // the Authorizer should report an error.
4903 "namespace"?: string
4904 }]
4905 }
4906
4907 // Generation is used to create new resources.
4908 "generate"?: {
4909 // APIVersion specifies resource apiVersion.
4910 "apiVersion"?: string
4911
4912 // Clone specifies the source resource used to populate each
4913 // generated resource.
4914 // At most one of Data or Clone can be specified. If neither are
4915 // provided, the generated
4916 // resource will be created with default data only.
4917 "clone"?: {
4918 // Name specifies name of the resource.
4919 "name"?: string
4920
4921 // Namespace specifies source resource namespace.
4922 "namespace"?: string
4923 }
4924
4925 // CloneList specifies the list of source resource used to
4926 // populate each generated resource.
4927 "cloneList"?: {
4928 // Kinds is a list of resource kinds.
4929 "kinds"?: [...string]
4930
4931 // Namespace specifies source resource namespace.
4932 "namespace"?: string
4933
4934 // Selector is a label selector. Label keys and values in
4935 // `matchLabels`.
4936 // wildcard characters are not supported.
4937 "selector"?: {
4938 // matchExpressions is a list of label selector requirements. The
4939 // requirements are ANDed.
4940 "matchExpressions"?: [...{
4941 // key is the label key that the selector applies to.
4942 "key"!: string
4943
4944 // operator represents a key's relationship to a set of values.
4945 // Valid operators are In, NotIn, Exists and DoesNotExist.
4946 "operator"!: string
4947
4948 // values is an array of string values. If the operator is In or
4949 // NotIn,
4950 // the values array must be non-empty. If the operator is Exists
4951 // or DoesNotExist,
4952 // the values array must be empty. This array is replaced during a
4953 // strategic
4954 // merge patch.
4955 "values"?: [...string]
4956 }]
4957
4958 // matchLabels is a map of {key,value} pairs. A single {key,value}
4959 // in the matchLabels
4960 // map is equivalent to an element of matchExpressions, whose key
4961 // field is "key", the
4962 // operator is "In", and the values array contains only "value".
4963 // The requirements are ANDed.
4964 "matchLabels"?: {
4965 [string]: string
4966 }
4967 }
4968 }
4969
4970 // Data provides the resource declaration used to populate each
4971 // generated resource.
4972 // At most one of Data or Clone must be specified. If neither are
4973 // provided, the generated
4974 // resource will be created with default data only.
4975 "data"?: null | bool | number | string | [...] | {
4976 ...
4977 }
4978
4979 // ForEach applies generate rules to a list of sub-elements by
4980 // creating a context for each entry in the list and looping over
4981 // it to apply the specified logic.
4982 "foreach"?: [...{
4983 // APIVersion specifies resource apiVersion.
4984 "apiVersion"?: string
4985
4986 // Clone specifies the source resource used to populate each
4987 // generated resource.
4988 // At most one of Data or Clone can be specified. If neither are
4989 // provided, the generated
4990 // resource will be created with default data only.
4991 "clone"?: {
4992 // Name specifies name of the resource.
4993 "name"?: string
4994
4995 // Namespace specifies source resource namespace.
4996 "namespace"?: string
4997 }
4998
4999 // CloneList specifies the list of source resource used to
5000 // populate each generated resource.
5001 "cloneList"?: {
5002 // Kinds is a list of resource kinds.
5003 "kinds"?: [...string]
5004
5005 // Namespace specifies source resource namespace.
5006 "namespace"?: string
5007
5008 // Selector is a label selector. Label keys and values in
5009 // `matchLabels`.
5010 // wildcard characters are not supported.
5011 "selector"?: {
5012 // matchExpressions is a list of label selector requirements. The
5013 // requirements are ANDed.
5014 "matchExpressions"?: [...{
5015 // key is the label key that the selector applies to.
5016 "key"!: string
5017
5018 // operator represents a key's relationship to a set of values.
5019 // Valid operators are In, NotIn, Exists and DoesNotExist.
5020 "operator"!: string
5021
5022 // values is an array of string values. If the operator is In or
5023 // NotIn,
5024 // the values array must be non-empty. If the operator is Exists
5025 // or DoesNotExist,
5026 // the values array must be empty. This array is replaced during a
5027 // strategic
5028 // merge patch.
5029 "values"?: [...string]
5030 }]
5031
5032 // matchLabels is a map of {key,value} pairs. A single {key,value}
5033 // in the matchLabels
5034 // map is equivalent to an element of matchExpressions, whose key
5035 // field is "key", the
5036 // operator is "In", and the values array contains only "value".
5037 // The requirements are ANDed.
5038 "matchLabels"?: {
5039 [string]: string
5040 }
5041 }
5042 }
5043
5044 // Context defines variables and data sources that can be used
5045 // during rule execution.
5046 "context"?: [...matchN(1, [{
5047 "configMap"!: _
5048 }, {
5049 "apiCall"!: _
5050 }, {
5051 "imageRegistry"!: _
5052 }, {
5053 "variable"!: _
5054 }, {
5055 "globalReference"!: _
5056 }]) & {
5057 // APICall is an HTTP request to the Kubernetes API server, or
5058 // other JSON web service.
5059 // The data returned is stored in the context with the name for
5060 // the context entry.
5061 "apiCall"?: {
5062 // The data object specifies the POST data sent to the server.
5063 // Only applicable when the method field is set to POST.
5064 "data"?: [...{
5065 // Key is a unique identifier for the data value
5066 "key"!: string
5067
5068 // Value is the data value
5069 "value"!: null | bool | number | string | [...] | {
5070 ...
5071 }
5072 }]
5073
5074 // Default is an optional arbitrary JSON object that the context
5075 // value is set to, if the apiCall returns error.
5076 "default"?: null | bool | number | string | [...] | {
5077 ...
5078 }
5079
5080 // JMESPath is an optional JSON Match Expression that can be used
5081 // to
5082 // transform the JSON response returned from the server. For
5083 // example
5084 // a JMESPath of "items | length(@)" applied to the API server
5085 // response
5086 // for the URLPath "/apis/apps/v1/deployments" will return the
5087 // total count
5088 // of deployments across all namespaces.
5089 "jmesPath"?: string
5090
5091 // Method is the HTTP request type (GET or POST). Defaults to GET.
5092 "method"?: "GET" | "POST"
5093
5094 // Service is an API call to a JSON web service.
5095 // This is used for non-Kubernetes API server calls.
5096 // It's mutually exclusive with the URLPath field.
5097 "service"?: {
5098 // CABundle is a PEM encoded CA bundle which will be used to
5099 // validate
5100 // the server certificate.
5101 "caBundle"?: string
5102
5103 // Headers is a list of optional HTTP headers to be included in
5104 // the request.
5105 "headers"?: [...{
5106 // Key is the header key
5107 "key"!: string
5108
5109 // Value is the header value
5110 "value"!: string
5111 }]
5112
5113 // URL is the JSON web service URL. A typical form is
5114 // `https://{service}.{namespace}:{port}/{path}`.
5115 "url"!: string
5116 }
5117
5118 // URLPath is the URL path to be used in the HTTP GET or POST
5119 // request to the
5120 // Kubernetes API server (e.g. "/api/v1/namespaces" or
5121 // "/apis/apps/v1/deployments").
5122 // The format required is the same format used by the `kubectl get
5123 // --raw` command.
5124 // See
5125 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5126 // for details.
5127 // It's mutually exclusive with the Service field.
5128 "urlPath"?: string
5129 }
5130
5131 // ConfigMap is the ConfigMap reference.
5132 "configMap"?: {
5133 // Name is the ConfigMap name.
5134 "name"!: string
5135
5136 // Namespace is the ConfigMap namespace.
5137 "namespace"?: string
5138 }
5139
5140 // GlobalContextEntryReference is a reference to a cached global
5141 // context entry.
5142 "globalReference"?: {
5143 // JMESPath is an optional JSON Match Expression that can be used
5144 // to
5145 // transform the JSON response returned from the server. For
5146 // example
5147 // a JMESPath of "items | length(@)" applied to the API server
5148 // response
5149 // for the URLPath "/apis/apps/v1/deployments" will return the
5150 // total count
5151 // of deployments across all namespaces.
5152 "jmesPath"?: string
5153
5154 // Name of the global context entry
5155 "name"!: string
5156 }
5157
5158 // ImageRegistry defines requests to an OCI/Docker V2 registry to
5159 // fetch image
5160 // details.
5161 "imageRegistry"?: {
5162 // ImageRegistryCredentials provides credentials that will be used
5163 // for authentication with registry
5164 "imageRegistryCredentials"?: {
5165 // AllowInsecureRegistry allows insecure access to a registry.
5166 "allowInsecureRegistry"?: bool
5167
5168 // Providers specifies a list of OCI Registry names, whose
5169 // authentication providers are provided.
5170 // It can be of one of these values:
5171 // default,google,azure,amazon,github.
5172 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5173
5174 // Secrets specifies a list of secrets that are provided for
5175 // credentials.
5176 // Secrets must live in the Kyverno namespace.
5177 "secrets"?: [...string]
5178 }
5179
5180 // JMESPath is an optional JSON Match Expression that can be used
5181 // to
5182 // transform the ImageData struct returned as a result of
5183 // processing
5184 // the image reference.
5185 "jmesPath"?: string
5186
5187 // Reference is image reference to a container image in the
5188 // registry.
5189 // Example: ghcr.io/kyverno/kyverno:latest
5190 "reference"!: string
5191 }
5192
5193 // Name is the variable name.
5194 "name"!: string
5195
5196 // Variable defines an arbitrary JMESPath context variable that
5197 // can be defined inline.
5198 "variable"?: {
5199 // Default is an optional arbitrary JSON object that the variable
5200 // may take if the JMESPath
5201 // expression evaluates to nil
5202 "default"?: null | bool | number | string | [...] | {
5203 ...
5204 }
5205
5206 // JMESPath is an optional JMESPath Expression that can be used to
5207 // transform the variable.
5208 "jmesPath"?: string
5209
5210 // Value is any arbitrary JSON object representable in YAML or
5211 // JSON form.
5212 "value"?: null | bool | number | string | [...] | {
5213 ...
5214 }
5215 }
5216 }]
5217
5218 // Data provides the resource declaration used to populate each
5219 // generated resource.
5220 // At most one of Data or Clone must be specified. If neither are
5221 // provided, the generated
5222 // resource will be created with default data only.
5223 "data"?: null | bool | number | string | [...] | {
5224 ...
5225 }
5226
5227 // Kind specifies resource kind.
5228 "kind"?: string
5229
5230 // List specifies a JMESPath expression that results in one or
5231 // more elements
5232 // to which the validation logic is applied.
5233 "list"?: string
5234
5235 // Name specifies the resource name.
5236 "name"?: string
5237
5238 // Namespace specifies resource namespace.
5239 "namespace"?: string
5240
5241 // AnyAllConditions are used to determine if a policy rule should
5242 // be applied by evaluating a
5243 // set of conditions. The declaration can contain nested `any` or
5244 // `all` statements.
5245 // See: https://kyverno.io/docs/writing-policies/preconditions/
5246 "preconditions"?: {
5247 // AllConditions enable variable-based conditional rule execution.
5248 // This is useful for
5249 // finer control of when an rule is applied. A condition can
5250 // reference object data
5251 // using JMESPath notation.
5252 // Here, all of the conditions need to pass
5253 "all"?: [...{
5254 // Key is the context entry (using JMESPath) for conditional rule
5255 // evaluation.
5256 "key"?: null | bool | number | string | [...] | {
5257 ...
5258 }
5259
5260 // Message is an optional display message
5261 "message"?: string
5262
5263 // Operator is the conditional operation to perform. Valid
5264 // operators are:
5265 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5266 // GreaterThanOrEquals,
5267 // GreaterThan, LessThanOrEquals, LessThan,
5268 // DurationGreaterThanOrEquals, DurationGreaterThan,
5269 // DurationLessThanOrEquals, DurationLessThan
5270 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5271
5272 // Value is the conditional value, or set of values. The values
5273 // can be fixed set
5274 // or can be variables declared using JMESPath.
5275 "value"?: null | bool | number | string | [...] | {
5276 ...
5277 }
5278 }]
5279
5280 // AnyConditions enable variable-based conditional rule execution.
5281 // This is useful for
5282 // finer control of when an rule is applied. A condition can
5283 // reference object data
5284 // using JMESPath notation.
5285 // Here, at least one of the conditions need to pass
5286 "any"?: [...{
5287 // Key is the context entry (using JMESPath) for conditional rule
5288 // evaluation.
5289 "key"?: null | bool | number | string | [...] | {
5290 ...
5291 }
5292
5293 // Message is an optional display message
5294 "message"?: string
5295
5296 // Operator is the conditional operation to perform. Valid
5297 // operators are:
5298 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5299 // GreaterThanOrEquals,
5300 // GreaterThan, LessThanOrEquals, LessThan,
5301 // DurationGreaterThanOrEquals, DurationGreaterThan,
5302 // DurationLessThanOrEquals, DurationLessThan
5303 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5304
5305 // Value is the conditional value, or set of values. The values
5306 // can be fixed set
5307 // or can be variables declared using JMESPath.
5308 "value"?: null | bool | number | string | [...] | {
5309 ...
5310 }
5311 }]
5312 ...
5313 }
5314
5315 // UID specifies the resource uid.
5316 "uid"?: string
5317 }]
5318
5319 // GenerateExisting controls whether to trigger the rule in
5320 // existing resources
5321 // If is set to "true" the rule will be triggered and applied to
5322 // existing matched resources.
5323 "generateExisting"?: bool
5324
5325 // Kind specifies resource kind.
5326 "kind"?: string
5327
5328 // Name specifies the resource name.
5329 "name"?: string
5330
5331 // Namespace specifies resource namespace.
5332 "namespace"?: string
5333
5334 // OrphanDownstreamOnPolicyDelete controls whether generated
5335 // resources should be deleted when the rule that generated
5336 // them is deleted with synchronization enabled. This option is
5337 // only applicable to generate rules of the data type.
5338 // See
5339 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
5340 // Defaults to "false" if not specified.
5341 "orphanDownstreamOnPolicyDelete"?: bool
5342
5343 // Synchronize controls if generated resources should be kept
5344 // in-sync with their source resource.
5345 // If Synchronize is set to "true" changes to generated resources
5346 // will be overwritten with resource
5347 // data from Data or the resource specified in the Clone
5348 // declaration.
5349 // Optional. Defaults to "false" if not specified.
5350 "synchronize"?: bool
5351
5352 // UID specifies the resource uid.
5353 "uid"?: string
5354 }
5355
5356 // ImageExtractors defines a mapping from kinds to
5357 // ImageExtractorConfigs.
5358 // This config is only valid for verifyImages rules.
5359 "imageExtractors"?: {
5360 [string]: [...{
5361 // JMESPath is an optional JMESPath expression to apply to the
5362 // image value.
5363 // This is useful when the extracted image begins with a prefix
5364 // like 'docker://'.
5365 // The 'trim_prefix' function may be used to trim the prefix:
5366 // trim_prefix(@, 'docker://').
5367 // Note - Image digest mutation may not be used when applying a
5368 // JMESPAth to an image.
5369 "jmesPath"?: string
5370
5371 // Key is an optional name of the field within 'path' that will be
5372 // used to uniquely identify an image.
5373 // Note - this field MUST be unique.
5374 "key"?: string
5375
5376 // Name is the entry the image will be available under
5377 // 'images.<name>' in the context.
5378 // If this field is not defined, image entries will appear under
5379 // 'images.custom'.
5380 "name"?: string
5381
5382 // Path is the path to the object containing the image field in a
5383 // custom resource.
5384 // It should be slash-separated. Each slash-separated key must be
5385 // a valid YAML key or a wildcard '*'.
5386 // Wildcard keys are expanded in case of arrays or objects.
5387 "path"!: string
5388
5389 // Value is an optional name of the field within 'path' that
5390 // points to the image URI.
5391 // This is useful when a custom 'key' is also defined.
5392 "value"?: string
5393 }]
5394 }
5395
5396 // MatchResources defines when this policy rule should be applied.
5397 // The match
5398 // criteria can include resource information (e.g. kind, name,
5399 // namespace, labels)
5400 // and admission review request information like the user name or
5401 // role.
5402 // At least one kind is required.
5403 "match"!: matchN(0, [null | bool | number | string | [...] | {
5404 "any"!: _
5405 "all"!: _
5406 }]) & {
5407 // All allows specifying resources which will be ANDed
5408 "all"?: [...{
5409 // ClusterRoles is the list of cluster-wide role names for the
5410 // user.
5411 "clusterRoles"?: [...string]
5412
5413 // ResourceDescription contains information about the resource
5414 // being created or modified.
5415 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5416 "name"!: _
5417 "names"!: _
5418 }]) & {
5419 // Annotations is a map of annotations (key-value pairs of type
5420 // string). Annotation keys
5421 // and values support the wildcard characters "*" (matches zero or
5422 // many characters) and
5423 // "?" (matches at least one character).
5424 "annotations"?: [string]: string
5425
5426 // Kinds is a list of resource kinds.
5427 "kinds"?: [...string]
5428
5429 // Name is the name of the resource. The name supports wildcard
5430 // characters
5431 // "*" (matches zero or many characters) and "?" (at least one
5432 // character).
5433 // NOTE: "Name" is being deprecated in favor of "Names".
5434 "name"?: string
5435
5436 // Names are the names of the resources. Each name supports
5437 // wildcard characters
5438 // "*" (matches zero or many characters) and "?" (at least one
5439 // character).
5440 "names"?: [...string]
5441
5442 // NamespaceSelector is a label selector for the resource
5443 // namespace. Label keys and values
5444 // in `matchLabels` support the wildcard characters `*` (matches
5445 // zero or many characters)
5446 // and `?` (matches one character).Wildcards allows writing label
5447 // selectors like
5448 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5449 // any key and value but
5450 // does not match an empty label set.
5451 "namespaceSelector"?: {
5452 // matchExpressions is a list of label selector requirements. The
5453 // requirements are ANDed.
5454 "matchExpressions"?: [...{
5455 // key is the label key that the selector applies to.
5456 "key"!: string
5457
5458 // operator represents a key's relationship to a set of values.
5459 // Valid operators are In, NotIn, Exists and DoesNotExist.
5460 "operator"!: string
5461
5462 // values is an array of string values. If the operator is In or
5463 // NotIn,
5464 // the values array must be non-empty. If the operator is Exists
5465 // or DoesNotExist,
5466 // the values array must be empty. This array is replaced during a
5467 // strategic
5468 // merge patch.
5469 "values"?: [...string]
5470 }]
5471
5472 // matchLabels is a map of {key,value} pairs. A single {key,value}
5473 // in the matchLabels
5474 // map is equivalent to an element of matchExpressions, whose key
5475 // field is "key", the
5476 // operator is "In", and the values array contains only "value".
5477 // The requirements are ANDed.
5478 "matchLabels"?: {
5479 [string]: string
5480 }
5481 }
5482
5483 // Namespaces is a list of namespaces names. Each name supports
5484 // wildcard characters
5485 // "*" (matches zero or many characters) and "?" (at least one
5486 // character).
5487 "namespaces"?: [...string]
5488
5489 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5490 // "DELETE"], which are used to match a specific action.
5491 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5492
5493 // Selector is a label selector. Label keys and values in
5494 // `matchLabels` support the wildcard
5495 // characters `*` (matches zero or many characters) and `?`
5496 // (matches one character).
5497 // Wildcards allows writing label selectors like
5498 // ["storage.k8s.io/*": "*"]. Note that
5499 // using ["*" : "*"] matches any key and value but does not match
5500 // an empty label set.
5501 "selector"?: {
5502 // matchExpressions is a list of label selector requirements. The
5503 // requirements are ANDed.
5504 "matchExpressions"?: [...{
5505 // key is the label key that the selector applies to.
5506 "key"!: string
5507
5508 // operator represents a key's relationship to a set of values.
5509 // Valid operators are In, NotIn, Exists and DoesNotExist.
5510 "operator"!: string
5511
5512 // values is an array of string values. If the operator is In or
5513 // NotIn,
5514 // the values array must be non-empty. If the operator is Exists
5515 // or DoesNotExist,
5516 // the values array must be empty. This array is replaced during a
5517 // strategic
5518 // merge patch.
5519 "values"?: [...string]
5520 }]
5521
5522 // matchLabels is a map of {key,value} pairs. A single {key,value}
5523 // in the matchLabels
5524 // map is equivalent to an element of matchExpressions, whose key
5525 // field is "key", the
5526 // operator is "In", and the values array contains only "value".
5527 // The requirements are ANDed.
5528 "matchLabels"?: {
5529 [string]: string
5530 }
5531 }
5532 }
5533
5534 // Roles is the list of namespaced role names for the user.
5535 "roles"?: [...string]
5536
5537 // Subjects is the list of subject names like users, user groups,
5538 // and service accounts.
5539 "subjects"?: [...{
5540 // APIGroup holds the API group of the referenced subject.
5541 // Defaults to "" for ServiceAccount subjects.
5542 // Defaults to "rbac.authorization.k8s.io" for User and Group
5543 // subjects.
5544 "apiGroup"?: string
5545
5546 // Kind of object being referenced. Values defined by this API
5547 // group are "User", "Group", and "ServiceAccount".
5548 // If the Authorizer does not recognized the kind value, the
5549 // Authorizer should report an error.
5550 "kind"!: string
5551
5552 // Name of the object being referenced.
5553 "name"!: string
5554
5555 // Namespace of the referenced object. If the object kind is
5556 // non-namespace, such as "User" or "Group", and this value is
5557 // not empty
5558 // the Authorizer should report an error.
5559 "namespace"?: string
5560 }]
5561 }]
5562
5563 // Any allows specifying resources which will be ORed
5564 "any"?: [...{
5565 // ClusterRoles is the list of cluster-wide role names for the
5566 // user.
5567 "clusterRoles"?: [...string]
5568
5569 // ResourceDescription contains information about the resource
5570 // being created or modified.
5571 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5572 "name"!: _
5573 "names"!: _
5574 }]) & {
5575 // Annotations is a map of annotations (key-value pairs of type
5576 // string). Annotation keys
5577 // and values support the wildcard characters "*" (matches zero or
5578 // many characters) and
5579 // "?" (matches at least one character).
5580 "annotations"?: [string]: string
5581
5582 // Kinds is a list of resource kinds.
5583 "kinds"?: [...string]
5584
5585 // Name is the name of the resource. The name supports wildcard
5586 // characters
5587 // "*" (matches zero or many characters) and "?" (at least one
5588 // character).
5589 // NOTE: "Name" is being deprecated in favor of "Names".
5590 "name"?: string
5591
5592 // Names are the names of the resources. Each name supports
5593 // wildcard characters
5594 // "*" (matches zero or many characters) and "?" (at least one
5595 // character).
5596 "names"?: [...string]
5597
5598 // NamespaceSelector is a label selector for the resource
5599 // namespace. Label keys and values
5600 // in `matchLabels` support the wildcard characters `*` (matches
5601 // zero or many characters)
5602 // and `?` (matches one character).Wildcards allows writing label
5603 // selectors like
5604 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5605 // any key and value but
5606 // does not match an empty label set.
5607 "namespaceSelector"?: {
5608 // matchExpressions is a list of label selector requirements. The
5609 // requirements are ANDed.
5610 "matchExpressions"?: [...{
5611 // key is the label key that the selector applies to.
5612 "key"!: string
5613
5614 // operator represents a key's relationship to a set of values.
5615 // Valid operators are In, NotIn, Exists and DoesNotExist.
5616 "operator"!: string
5617
5618 // values is an array of string values. If the operator is In or
5619 // NotIn,
5620 // the values array must be non-empty. If the operator is Exists
5621 // or DoesNotExist,
5622 // the values array must be empty. This array is replaced during a
5623 // strategic
5624 // merge patch.
5625 "values"?: [...string]
5626 }]
5627
5628 // matchLabels is a map of {key,value} pairs. A single {key,value}
5629 // in the matchLabels
5630 // map is equivalent to an element of matchExpressions, whose key
5631 // field is "key", the
5632 // operator is "In", and the values array contains only "value".
5633 // The requirements are ANDed.
5634 "matchLabels"?: {
5635 [string]: string
5636 }
5637 }
5638
5639 // Namespaces is a list of namespaces names. Each name supports
5640 // wildcard characters
5641 // "*" (matches zero or many characters) and "?" (at least one
5642 // character).
5643 "namespaces"?: [...string]
5644
5645 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5646 // "DELETE"], which are used to match a specific action.
5647 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5648
5649 // Selector is a label selector. Label keys and values in
5650 // `matchLabels` support the wildcard
5651 // characters `*` (matches zero or many characters) and `?`
5652 // (matches one character).
5653 // Wildcards allows writing label selectors like
5654 // ["storage.k8s.io/*": "*"]. Note that
5655 // using ["*" : "*"] matches any key and value but does not match
5656 // an empty label set.
5657 "selector"?: {
5658 // matchExpressions is a list of label selector requirements. The
5659 // requirements are ANDed.
5660 "matchExpressions"?: [...{
5661 // key is the label key that the selector applies to.
5662 "key"!: string
5663
5664 // operator represents a key's relationship to a set of values.
5665 // Valid operators are In, NotIn, Exists and DoesNotExist.
5666 "operator"!: string
5667
5668 // values is an array of string values. If the operator is In or
5669 // NotIn,
5670 // the values array must be non-empty. If the operator is Exists
5671 // or DoesNotExist,
5672 // the values array must be empty. This array is replaced during a
5673 // strategic
5674 // merge patch.
5675 "values"?: [...string]
5676 }]
5677
5678 // matchLabels is a map of {key,value} pairs. A single {key,value}
5679 // in the matchLabels
5680 // map is equivalent to an element of matchExpressions, whose key
5681 // field is "key", the
5682 // operator is "In", and the values array contains only "value".
5683 // The requirements are ANDed.
5684 "matchLabels"?: {
5685 [string]: string
5686 }
5687 }
5688 }
5689
5690 // Roles is the list of namespaced role names for the user.
5691 "roles"?: [...string]
5692
5693 // Subjects is the list of subject names like users, user groups,
5694 // and service accounts.
5695 "subjects"?: [...{
5696 // APIGroup holds the API group of the referenced subject.
5697 // Defaults to "" for ServiceAccount subjects.
5698 // Defaults to "rbac.authorization.k8s.io" for User and Group
5699 // subjects.
5700 "apiGroup"?: string
5701
5702 // Kind of object being referenced. Values defined by this API
5703 // group are "User", "Group", and "ServiceAccount".
5704 // If the Authorizer does not recognized the kind value, the
5705 // Authorizer should report an error.
5706 "kind"!: string
5707
5708 // Name of the object being referenced.
5709 "name"!: string
5710
5711 // Namespace of the referenced object. If the object kind is
5712 // non-namespace, such as "User" or "Group", and this value is
5713 // not empty
5714 // the Authorizer should report an error.
5715 "namespace"?: string
5716 }]
5717 }]
5718
5719 // ClusterRoles is the list of cluster-wide role names for the
5720 // user.
5721 "clusterRoles"?: [...string]
5722
5723 // ResourceDescription contains information about the resource
5724 // being created or modified.
5725 // Requires at least one tag to be specified when under
5726 // MatchResources.
5727 // Specifying ResourceDescription directly under match is being
5728 // deprecated.
5729 // Please specify under "any" or "all" instead.
5730 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5731 "name"!: _
5732 "names"!: _
5733 }]) & {
5734 // Annotations is a map of annotations (key-value pairs of type
5735 // string). Annotation keys
5736 // and values support the wildcard characters "*" (matches zero or
5737 // many characters) and
5738 // "?" (matches at least one character).
5739 "annotations"?: [string]: string
5740
5741 // Kinds is a list of resource kinds.
5742 "kinds"?: [...string]
5743
5744 // Name is the name of the resource. The name supports wildcard
5745 // characters
5746 // "*" (matches zero or many characters) and "?" (at least one
5747 // character).
5748 // NOTE: "Name" is being deprecated in favor of "Names".
5749 "name"?: string
5750
5751 // Names are the names of the resources. Each name supports
5752 // wildcard characters
5753 // "*" (matches zero or many characters) and "?" (at least one
5754 // character).
5755 "names"?: [...string]
5756
5757 // NamespaceSelector is a label selector for the resource
5758 // namespace. Label keys and values
5759 // in `matchLabels` support the wildcard characters `*` (matches
5760 // zero or many characters)
5761 // and `?` (matches one character).Wildcards allows writing label
5762 // selectors like
5763 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5764 // any key and value but
5765 // does not match an empty label set.
5766 "namespaceSelector"?: {
5767 // matchExpressions is a list of label selector requirements. The
5768 // requirements are ANDed.
5769 "matchExpressions"?: [...{
5770 // key is the label key that the selector applies to.
5771 "key"!: string
5772
5773 // operator represents a key's relationship to a set of values.
5774 // Valid operators are In, NotIn, Exists and DoesNotExist.
5775 "operator"!: string
5776
5777 // values is an array of string values. If the operator is In or
5778 // NotIn,
5779 // the values array must be non-empty. If the operator is Exists
5780 // or DoesNotExist,
5781 // the values array must be empty. This array is replaced during a
5782 // strategic
5783 // merge patch.
5784 "values"?: [...string]
5785 }]
5786
5787 // matchLabels is a map of {key,value} pairs. A single {key,value}
5788 // in the matchLabels
5789 // map is equivalent to an element of matchExpressions, whose key
5790 // field is "key", the
5791 // operator is "In", and the values array contains only "value".
5792 // The requirements are ANDed.
5793 "matchLabels"?: {
5794 [string]: string
5795 }
5796 }
5797
5798 // Namespaces is a list of namespaces names. Each name supports
5799 // wildcard characters
5800 // "*" (matches zero or many characters) and "?" (at least one
5801 // character).
5802 "namespaces"?: [...string]
5803
5804 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5805 // "DELETE"], which are used to match a specific action.
5806 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5807
5808 // Selector is a label selector. Label keys and values in
5809 // `matchLabels` support the wildcard
5810 // characters `*` (matches zero or many characters) and `?`
5811 // (matches one character).
5812 // Wildcards allows writing label selectors like
5813 // ["storage.k8s.io/*": "*"]. Note that
5814 // using ["*" : "*"] matches any key and value but does not match
5815 // an empty label set.
5816 "selector"?: {
5817 // matchExpressions is a list of label selector requirements. The
5818 // requirements are ANDed.
5819 "matchExpressions"?: [...{
5820 // key is the label key that the selector applies to.
5821 "key"!: string
5822
5823 // operator represents a key's relationship to a set of values.
5824 // Valid operators are In, NotIn, Exists and DoesNotExist.
5825 "operator"!: string
5826
5827 // values is an array of string values. If the operator is In or
5828 // NotIn,
5829 // the values array must be non-empty. If the operator is Exists
5830 // or DoesNotExist,
5831 // the values array must be empty. This array is replaced during a
5832 // strategic
5833 // merge patch.
5834 "values"?: [...string]
5835 }]
5836
5837 // matchLabels is a map of {key,value} pairs. A single {key,value}
5838 // in the matchLabels
5839 // map is equivalent to an element of matchExpressions, whose key
5840 // field is "key", the
5841 // operator is "In", and the values array contains only "value".
5842 // The requirements are ANDed.
5843 "matchLabels"?: {
5844 [string]: string
5845 }
5846 }
5847 }
5848
5849 // Roles is the list of namespaced role names for the user.
5850 "roles"?: [...string]
5851
5852 // Subjects is the list of subject names like users, user groups,
5853 // and service accounts.
5854 "subjects"?: [...{
5855 // APIGroup holds the API group of the referenced subject.
5856 // Defaults to "" for ServiceAccount subjects.
5857 // Defaults to "rbac.authorization.k8s.io" for User and Group
5858 // subjects.
5859 "apiGroup"?: string
5860
5861 // Kind of object being referenced. Values defined by this API
5862 // group are "User", "Group", and "ServiceAccount".
5863 // If the Authorizer does not recognized the kind value, the
5864 // Authorizer should report an error.
5865 "kind"!: string
5866
5867 // Name of the object being referenced.
5868 "name"!: string
5869
5870 // Namespace of the referenced object. If the object kind is
5871 // non-namespace, such as "User" or "Group", and this value is
5872 // not empty
5873 // the Authorizer should report an error.
5874 "namespace"?: string
5875 }]
5876 }
5877
5878 // Mutation is used to modify matching resources.
5879 "mutate"?: {
5880 // ForEach applies mutation rules to a list of sub-elements by
5881 // creating a context for each entry in the list and looping over
5882 // it to apply the specified logic.
5883 "foreach"?: [...{
5884 // Context defines variables and data sources that can be used
5885 // during rule execution.
5886 "context"?: [...matchN(1, [{
5887 "configMap"!: _
5888 }, {
5889 "apiCall"!: _
5890 }, {
5891 "imageRegistry"!: _
5892 }, {
5893 "variable"!: _
5894 }, {
5895 "globalReference"!: _
5896 }]) & {
5897 // APICall is an HTTP request to the Kubernetes API server, or
5898 // other JSON web service.
5899 // The data returned is stored in the context with the name for
5900 // the context entry.
5901 "apiCall"?: {
5902 // The data object specifies the POST data sent to the server.
5903 // Only applicable when the method field is set to POST.
5904 "data"?: [...{
5905 // Key is a unique identifier for the data value
5906 "key"!: string
5907
5908 // Value is the data value
5909 "value"!: null | bool | number | string | [...] | {
5910 ...
5911 }
5912 }]
5913
5914 // Default is an optional arbitrary JSON object that the context
5915 // value is set to, if the apiCall returns error.
5916 "default"?: null | bool | number | string | [...] | {
5917 ...
5918 }
5919
5920 // JMESPath is an optional JSON Match Expression that can be used
5921 // to
5922 // transform the JSON response returned from the server. For
5923 // example
5924 // a JMESPath of "items | length(@)" applied to the API server
5925 // response
5926 // for the URLPath "/apis/apps/v1/deployments" will return the
5927 // total count
5928 // of deployments across all namespaces.
5929 "jmesPath"?: string
5930
5931 // Method is the HTTP request type (GET or POST). Defaults to GET.
5932 "method"?: "GET" | "POST"
5933
5934 // Service is an API call to a JSON web service.
5935 // This is used for non-Kubernetes API server calls.
5936 // It's mutually exclusive with the URLPath field.
5937 "service"?: {
5938 // CABundle is a PEM encoded CA bundle which will be used to
5939 // validate
5940 // the server certificate.
5941 "caBundle"?: string
5942
5943 // Headers is a list of optional HTTP headers to be included in
5944 // the request.
5945 "headers"?: [...{
5946 // Key is the header key
5947 "key"!: string
5948
5949 // Value is the header value
5950 "value"!: string
5951 }]
5952
5953 // URL is the JSON web service URL. A typical form is
5954 // `https://{service}.{namespace}:{port}/{path}`.
5955 "url"!: string
5956 }
5957
5958 // URLPath is the URL path to be used in the HTTP GET or POST
5959 // request to the
5960 // Kubernetes API server (e.g. "/api/v1/namespaces" or
5961 // "/apis/apps/v1/deployments").
5962 // The format required is the same format used by the `kubectl get
5963 // --raw` command.
5964 // See
5965 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5966 // for details.
5967 // It's mutually exclusive with the Service field.
5968 "urlPath"?: string
5969 }
5970
5971 // ConfigMap is the ConfigMap reference.
5972 "configMap"?: {
5973 // Name is the ConfigMap name.
5974 "name"!: string
5975
5976 // Namespace is the ConfigMap namespace.
5977 "namespace"?: string
5978 }
5979
5980 // GlobalContextEntryReference is a reference to a cached global
5981 // context entry.
5982 "globalReference"?: {
5983 // JMESPath is an optional JSON Match Expression that can be used
5984 // to
5985 // transform the JSON response returned from the server. For
5986 // example
5987 // a JMESPath of "items | length(@)" applied to the API server
5988 // response
5989 // for the URLPath "/apis/apps/v1/deployments" will return the
5990 // total count
5991 // of deployments across all namespaces.
5992 "jmesPath"?: string
5993
5994 // Name of the global context entry
5995 "name"!: string
5996 }
5997
5998 // ImageRegistry defines requests to an OCI/Docker V2 registry to
5999 // fetch image
6000 // details.
6001 "imageRegistry"?: {
6002 // ImageRegistryCredentials provides credentials that will be used
6003 // for authentication with registry
6004 "imageRegistryCredentials"?: {
6005 // AllowInsecureRegistry allows insecure access to a registry.
6006 "allowInsecureRegistry"?: bool
6007
6008 // Providers specifies a list of OCI Registry names, whose
6009 // authentication providers are provided.
6010 // It can be of one of these values:
6011 // default,google,azure,amazon,github.
6012 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6013
6014 // Secrets specifies a list of secrets that are provided for
6015 // credentials.
6016 // Secrets must live in the Kyverno namespace.
6017 "secrets"?: [...string]
6018 }
6019
6020 // JMESPath is an optional JSON Match Expression that can be used
6021 // to
6022 // transform the ImageData struct returned as a result of
6023 // processing
6024 // the image reference.
6025 "jmesPath"?: string
6026
6027 // Reference is image reference to a container image in the
6028 // registry.
6029 // Example: ghcr.io/kyverno/kyverno:latest
6030 "reference"!: string
6031 }
6032
6033 // Name is the variable name.
6034 "name"!: string
6035
6036 // Variable defines an arbitrary JMESPath context variable that
6037 // can be defined inline.
6038 "variable"?: {
6039 // Default is an optional arbitrary JSON object that the variable
6040 // may take if the JMESPath
6041 // expression evaluates to nil
6042 "default"?: null | bool | number | string | [...] | {
6043 ...
6044 }
6045
6046 // JMESPath is an optional JMESPath Expression that can be used to
6047 // transform the variable.
6048 "jmesPath"?: string
6049
6050 // Value is any arbitrary JSON object representable in YAML or
6051 // JSON form.
6052 "value"?: null | bool | number | string | [...] | {
6053 ...
6054 }
6055 }
6056 }]
6057
6058 // Foreach declares a nested foreach iterator
6059 "foreach"?: null | bool | number | string | [...] | {
6060 ...
6061 }
6062
6063 // List specifies a JMESPath expression that results in one or
6064 // more elements
6065 // to which the validation logic is applied.
6066 "list"?: string
6067
6068 // Order defines the iteration order on the list.
6069 // Can be Ascending to iterate from first to last element or
6070 // Descending to iterate in from last to first element.
6071 "order"?: "Ascending" | "Descending"
6072
6073 // PatchStrategicMerge is a strategic merge patch used to modify
6074 // resources.
6075 // See
6076 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6077 // and
6078 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6079 "patchStrategicMerge"?: null | bool | number | string | [...] | {
6080 ...
6081 }
6082
6083 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6084 // used to modify resources.
6085 // See https://tools.ietf.org/html/rfc6902 and
6086 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6087 "patchesJson6902"?: string
6088
6089 // AnyAllConditions are used to determine if a policy rule should
6090 // be applied by evaluating a
6091 // set of conditions. The declaration can contain nested `any` or
6092 // `all` statements.
6093 // See: https://kyverno.io/docs/writing-policies/preconditions/
6094 "preconditions"?: {
6095 // AllConditions enable variable-based conditional rule execution.
6096 // This is useful for
6097 // finer control of when an rule is applied. A condition can
6098 // reference object data
6099 // using JMESPath notation.
6100 // Here, all of the conditions need to pass
6101 "all"?: [...{
6102 // Key is the context entry (using JMESPath) for conditional rule
6103 // evaluation.
6104 "key"?: null | bool | number | string | [...] | {
6105 ...
6106 }
6107
6108 // Message is an optional display message
6109 "message"?: string
6110
6111 // Operator is the conditional operation to perform. Valid
6112 // operators are:
6113 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6114 // GreaterThanOrEquals,
6115 // GreaterThan, LessThanOrEquals, LessThan,
6116 // DurationGreaterThanOrEquals, DurationGreaterThan,
6117 // DurationLessThanOrEquals, DurationLessThan
6118 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6119
6120 // Value is the conditional value, or set of values. The values
6121 // can be fixed set
6122 // or can be variables declared using JMESPath.
6123 "value"?: null | bool | number | string | [...] | {
6124 ...
6125 }
6126 }]
6127
6128 // AnyConditions enable variable-based conditional rule execution.
6129 // This is useful for
6130 // finer control of when an rule is applied. A condition can
6131 // reference object data
6132 // using JMESPath notation.
6133 // Here, at least one of the conditions need to pass
6134 "any"?: [...{
6135 // Key is the context entry (using JMESPath) for conditional rule
6136 // evaluation.
6137 "key"?: null | bool | number | string | [...] | {
6138 ...
6139 }
6140
6141 // Message is an optional display message
6142 "message"?: string
6143
6144 // Operator is the conditional operation to perform. Valid
6145 // operators are:
6146 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6147 // GreaterThanOrEquals,
6148 // GreaterThan, LessThanOrEquals, LessThan,
6149 // DurationGreaterThanOrEquals, DurationGreaterThan,
6150 // DurationLessThanOrEquals, DurationLessThan
6151 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6152
6153 // Value is the conditional value, or set of values. The values
6154 // can be fixed set
6155 // or can be variables declared using JMESPath.
6156 "value"?: null | bool | number | string | [...] | {
6157 ...
6158 }
6159 }]
6160 ...
6161 }
6162 }]
6163
6164 // MutateExistingOnPolicyUpdate controls if the mutateExisting
6165 // rule will be applied on policy events.
6166 "mutateExistingOnPolicyUpdate"?: bool
6167
6168 // PatchStrategicMerge is a strategic merge patch used to modify
6169 // resources.
6170 // See
6171 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6172 // and
6173 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6174 "patchStrategicMerge"?: null | bool | number | string | [...] | {
6175 ...
6176 }
6177
6178 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6179 // used to modify resources.
6180 // See https://tools.ietf.org/html/rfc6902 and
6181 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6182 "patchesJson6902"?: string
6183
6184 // Targets defines the target resources to be mutated.
6185 "targets"?: [...{
6186 // APIVersion specifies resource apiVersion.
6187 "apiVersion"?: string
6188
6189 // Context defines variables and data sources that can be used
6190 // during rule execution.
6191 "context"?: [...matchN(1, [{
6192 "configMap"!: _
6193 }, {
6194 "apiCall"!: _
6195 }, {
6196 "imageRegistry"!: _
6197 }, {
6198 "variable"!: _
6199 }, {
6200 "globalReference"!: _
6201 }]) & {
6202 // APICall is an HTTP request to the Kubernetes API server, or
6203 // other JSON web service.
6204 // The data returned is stored in the context with the name for
6205 // the context entry.
6206 "apiCall"?: {
6207 // The data object specifies the POST data sent to the server.
6208 // Only applicable when the method field is set to POST.
6209 "data"?: [...{
6210 // Key is a unique identifier for the data value
6211 "key"!: string
6212
6213 // Value is the data value
6214 "value"!: null | bool | number | string | [...] | {
6215 ...
6216 }
6217 }]
6218
6219 // Default is an optional arbitrary JSON object that the context
6220 // value is set to, if the apiCall returns error.
6221 "default"?: null | bool | number | string | [...] | {
6222 ...
6223 }
6224
6225 // JMESPath is an optional JSON Match Expression that can be used
6226 // to
6227 // transform the JSON response returned from the server. For
6228 // example
6229 // a JMESPath of "items | length(@)" applied to the API server
6230 // response
6231 // for the URLPath "/apis/apps/v1/deployments" will return the
6232 // total count
6233 // of deployments across all namespaces.
6234 "jmesPath"?: string
6235
6236 // Method is the HTTP request type (GET or POST). Defaults to GET.
6237 "method"?: "GET" | "POST"
6238
6239 // Service is an API call to a JSON web service.
6240 // This is used for non-Kubernetes API server calls.
6241 // It's mutually exclusive with the URLPath field.
6242 "service"?: {
6243 // CABundle is a PEM encoded CA bundle which will be used to
6244 // validate
6245 // the server certificate.
6246 "caBundle"?: string
6247
6248 // Headers is a list of optional HTTP headers to be included in
6249 // the request.
6250 "headers"?: [...{
6251 // Key is the header key
6252 "key"!: string
6253
6254 // Value is the header value
6255 "value"!: string
6256 }]
6257
6258 // URL is the JSON web service URL. A typical form is
6259 // `https://{service}.{namespace}:{port}/{path}`.
6260 "url"!: string
6261 }
6262
6263 // URLPath is the URL path to be used in the HTTP GET or POST
6264 // request to the
6265 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6266 // "/apis/apps/v1/deployments").
6267 // The format required is the same format used by the `kubectl get
6268 // --raw` command.
6269 // See
6270 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6271 // for details.
6272 // It's mutually exclusive with the Service field.
6273 "urlPath"?: string
6274 }
6275
6276 // ConfigMap is the ConfigMap reference.
6277 "configMap"?: {
6278 // Name is the ConfigMap name.
6279 "name"!: string
6280
6281 // Namespace is the ConfigMap namespace.
6282 "namespace"?: string
6283 }
6284
6285 // GlobalContextEntryReference is a reference to a cached global
6286 // context entry.
6287 "globalReference"?: {
6288 // JMESPath is an optional JSON Match Expression that can be used
6289 // to
6290 // transform the JSON response returned from the server. For
6291 // example
6292 // a JMESPath of "items | length(@)" applied to the API server
6293 // response
6294 // for the URLPath "/apis/apps/v1/deployments" will return the
6295 // total count
6296 // of deployments across all namespaces.
6297 "jmesPath"?: string
6298
6299 // Name of the global context entry
6300 "name"!: string
6301 }
6302
6303 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6304 // fetch image
6305 // details.
6306 "imageRegistry"?: {
6307 // ImageRegistryCredentials provides credentials that will be used
6308 // for authentication with registry
6309 "imageRegistryCredentials"?: {
6310 // AllowInsecureRegistry allows insecure access to a registry.
6311 "allowInsecureRegistry"?: bool
6312
6313 // Providers specifies a list of OCI Registry names, whose
6314 // authentication providers are provided.
6315 // It can be of one of these values:
6316 // default,google,azure,amazon,github.
6317 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6318
6319 // Secrets specifies a list of secrets that are provided for
6320 // credentials.
6321 // Secrets must live in the Kyverno namespace.
6322 "secrets"?: [...string]
6323 }
6324
6325 // JMESPath is an optional JSON Match Expression that can be used
6326 // to
6327 // transform the ImageData struct returned as a result of
6328 // processing
6329 // the image reference.
6330 "jmesPath"?: string
6331
6332 // Reference is image reference to a container image in the
6333 // registry.
6334 // Example: ghcr.io/kyverno/kyverno:latest
6335 "reference"!: string
6336 }
6337
6338 // Name is the variable name.
6339 "name"!: string
6340
6341 // Variable defines an arbitrary JMESPath context variable that
6342 // can be defined inline.
6343 "variable"?: {
6344 // Default is an optional arbitrary JSON object that the variable
6345 // may take if the JMESPath
6346 // expression evaluates to nil
6347 "default"?: null | bool | number | string | [...] | {
6348 ...
6349 }
6350
6351 // JMESPath is an optional JMESPath Expression that can be used to
6352 // transform the variable.
6353 "jmesPath"?: string
6354
6355 // Value is any arbitrary JSON object representable in YAML or
6356 // JSON form.
6357 "value"?: null | bool | number | string | [...] | {
6358 ...
6359 }
6360 }
6361 }]
6362
6363 // Kind specifies resource kind.
6364 "kind"?: string
6365
6366 // Name specifies the resource name.
6367 "name"?: string
6368
6369 // Namespace specifies resource namespace.
6370 "namespace"?: string
6371
6372 // Preconditions are used to determine if a policy rule should be
6373 // applied by evaluating a
6374 // set of conditions. The declaration can contain nested `any` or
6375 // `all` statements. A direct list
6376 // of conditions (without `any` or `all` statements is supported
6377 // for backwards compatibility but
6378 // will be deprecated in the next major release.
6379 // See: https://kyverno.io/docs/writing-policies/preconditions/
6380 "preconditions"?: null | bool | number | string | [...] | {
6381 ...
6382 }
6383
6384 // Selector allows you to select target resources with their
6385 // labels.
6386 "selector"?: {
6387 // matchExpressions is a list of label selector requirements. The
6388 // requirements are ANDed.
6389 "matchExpressions"?: [...{
6390 // key is the label key that the selector applies to.
6391 "key"!: string
6392
6393 // operator represents a key's relationship to a set of values.
6394 // Valid operators are In, NotIn, Exists and DoesNotExist.
6395 "operator"!: string
6396
6397 // values is an array of string values. If the operator is In or
6398 // NotIn,
6399 // the values array must be non-empty. If the operator is Exists
6400 // or DoesNotExist,
6401 // the values array must be empty. This array is replaced during a
6402 // strategic
6403 // merge patch.
6404 "values"?: [...string]
6405 }]
6406
6407 // matchLabels is a map of {key,value} pairs. A single {key,value}
6408 // in the matchLabels
6409 // map is equivalent to an element of matchExpressions, whose key
6410 // field is "key", the
6411 // operator is "In", and the values array contains only "value".
6412 // The requirements are ANDed.
6413 "matchLabels"?: {
6414 [string]: string
6415 }
6416 }
6417
6418 // UID specifies the resource uid.
6419 "uid"?: string
6420 }]
6421 }
6422
6423 // Name is a label to identify the rule, It must be unique within
6424 // the policy.
6425 "name"!: strings.MaxRunes(
6426 63)
6427
6428 // Preconditions are used to determine if a policy rule should be
6429 // applied by evaluating a
6430 // set of conditions. The declaration can contain nested `any` or
6431 // `all` statements. A direct list
6432 // of conditions (without `any` or `all` statements is supported
6433 // for backwards compatibility but
6434 // will be deprecated in the next major release.
6435 // See: https://kyverno.io/docs/writing-policies/preconditions/
6436 "preconditions"?: null | bool | number | string | [...] | {
6437 ...
6438 }
6439
6440 // ReportProperties are the additional properties from the rule
6441 // that will be added to the policy report result
6442 "reportProperties"?: {
6443 [string]: string
6444 }
6445
6446 // SkipBackgroundRequests bypasses admission requests that are
6447 // sent by the background controller.
6448 // The default value is set to "true", it must be set to "false"
6449 // to apply
6450 // generate and mutateExisting rules to those requests.
6451 "skipBackgroundRequests"?: bool
6452
6453 // Validation is used to validate matching resources.
6454 "validate"?: {
6455 // AllowExistingViolations allows prexisting violating resources
6456 // to continue violating a policy.
6457 "allowExistingViolations"?: bool
6458
6459 // AnyPattern specifies list of validation patterns. At least one
6460 // of the patterns
6461 // must be satisfied for the validation rule to succeed.
6462 "anyPattern"?: null | bool | number | string | [...] | {
6463 ...
6464 }
6465
6466 // Assert defines a kyverno-json assertion tree.
6467 "assert"?: {
6468 ...
6469 }
6470
6471 // CEL allows validation checks using the Common Expression
6472 // Language
6473 // (https://kubernetes.io/docs/reference/using-api/cel/).
6474 "cel"?: {
6475 // AuditAnnotations contains CEL expressions which are used to
6476 // produce audit annotations for the audit event of the API
6477 // request.
6478 "auditAnnotations"?: [...{
6479 // key specifies the audit annotation key. The audit annotation
6480 // keys of
6481 // a ValidatingAdmissionPolicy must be unique. The key must be a
6482 // qualified
6483 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6484 // length.
6485 //
6486 // The key is combined with the resource name of the
6487 // ValidatingAdmissionPolicy to construct an audit annotation key:
6488 // "{ValidatingAdmissionPolicy name}/{key}".
6489 //
6490 // If an admission webhook uses the same resource name as this
6491 // ValidatingAdmissionPolicy
6492 // and the same audit annotation key, the annotation key will be
6493 // identical.
6494 // In this case, the first annotation written with the key will be
6495 // included
6496 // in the audit event and all subsequent annotations with the same
6497 // key
6498 // will be discarded.
6499 //
6500 // Required.
6501 "key"!: string
6502
6503 // valueExpression represents the expression which is evaluated by
6504 // CEL to
6505 // produce an audit annotation value. The expression must evaluate
6506 // to either
6507 // a string or null value. If the expression evaluates to a
6508 // string, the
6509 // audit annotation is included with the string value. If the
6510 // expression
6511 // evaluates to null or empty string the audit annotation will be
6512 // omitted.
6513 // The valueExpression may be no longer than 5kb in length.
6514 // If the result of the valueExpression is more than 10kb in
6515 // length, it
6516 // will be truncated to 10kb.
6517 //
6518 // If multiple ValidatingAdmissionPolicyBinding resources match an
6519 // API request, then the valueExpression will be evaluated for
6520 // each binding. All unique values produced by the
6521 // valueExpressions
6522 // will be joined together in a comma-separated list.
6523 //
6524 // Required.
6525 "valueExpression"!: string
6526 }]
6527
6528 // Expressions is a list of CELExpression types.
6529 "expressions"?: [...{
6530 // Expression represents the expression which will be evaluated by
6531 // CEL.
6532 // ref: https://github.com/google/cel-spec
6533 // CEL expressions have access to the contents of the API
6534 // request/response, organized into CEL variables as well as some
6535 // other useful variables:
6536 //
6537 // - 'object' - The object from the incoming request. The value is
6538 // null for DELETE requests.
6539 // - 'oldObject' - The existing object. The value is null for
6540 // CREATE requests.
6541 // - 'request' - Attributes of the API
6542 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6543 // - 'params' - Parameter resource referred to by the policy
6544 // binding being evaluated. Only populated if the policy has a
6545 // ParamKind.
6546 // - 'namespaceObject' - The namespace object that the incoming
6547 // object belongs to. The value is null for cluster-scoped
6548 // resources.
6549 // - 'variables' - Map of composited variables, from its name to
6550 // its lazily evaluated value.
6551 // For example, a variable named 'foo' can be accessed as
6552 // 'variables.foo'.
6553 // - 'authorizer' - A CEL Authorizer. May be used to perform
6554 // authorization checks for the principal (user or service
6555 // account) of the request.
6556 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6557 // - 'authorizer.requestResource' - A CEL ResourceCheck
6558 // constructed from the 'authorizer' and configured with the
6559 // request resource.
6560 //
6561 // The `apiVersion`, `kind`, `metadata.name` and
6562 // `metadata.generateName` are always accessible from the root of
6563 // the
6564 // object. No other metadata properties are accessible.
6565 //
6566 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6567 // are accessible.
6568 // Accessible property names are escaped according to the
6569 // following rules when accessed in the expression:
6570 // - '__' escapes to '__underscores__'
6571 // - '.' escapes to '__dot__'
6572 // - '-' escapes to '__dash__'
6573 // - '/' escapes to '__slash__'
6574 // - Property names that exactly match a CEL RESERVED keyword
6575 // escape to '__{keyword}__'. The keywords are:
6576 // "true", "false", "null", "in", "as", "break", "const",
6577 // "continue", "else", "for", "function", "if",
6578 // "import", "let", "loop", "package", "namespace", "return".
6579 // Examples:
6580 // - Expression accessing a property named "namespace":
6581 // {"Expression": "object.__namespace__ > 0"}
6582 // - Expression accessing a property named "x-prop":
6583 // {"Expression": "object.x__dash__prop > 0"}
6584 // - Expression accessing a property named "redact__d":
6585 // {"Expression": "object.redact__underscores__d > 0"}
6586 //
6587 // Equality on arrays with list type of 'set' or 'map' ignores
6588 // element order, i.e. [1, 2] == [2, 1].
6589 // Concatenation on arrays with x-kubernetes-list-type use the
6590 // semantics of the list type:
6591 // - 'set': `X + Y` performs a union where the array positions of
6592 // all elements in `X` are preserved and
6593 // non-intersecting elements in `Y` are appended, retaining their
6594 // partial order.
6595 // - 'map': `X + Y` performs a merge where the array positions of
6596 // all keys in `X` are preserved but the values
6597 // are overwritten by values in `Y` when the key sets of `X` and
6598 // `Y` intersect. Elements in `Y` with
6599 // non-intersecting keys are appended, retaining their partial
6600 // order.
6601 // Required.
6602 "expression"!: string
6603
6604 // Message represents the message displayed when validation fails.
6605 // The message is required if the Expression contains
6606 // line breaks. The message must not contain line breaks.
6607 // If unset, the message is "failed rule: {Rule}".
6608 // e.g. "must be a URL with the host matching spec.host"
6609 // If the Expression contains line breaks. Message is required.
6610 // The message must not contain line breaks.
6611 // If unset, the message is "failed Expression: {Expression}".
6612 "message"?: string
6613
6614 // messageExpression declares a CEL expression that evaluates to
6615 // the validation failure message that is returned when this rule
6616 // fails.
6617 // Since messageExpression is used as a failure message, it must
6618 // evaluate to a string.
6619 // If both message and messageExpression are present on a
6620 // validation, then messageExpression will be used if validation
6621 // fails.
6622 // If messageExpression results in a runtime error, the runtime
6623 // error is logged, and the validation failure message is
6624 // produced
6625 // as if the messageExpression field were unset. If
6626 // messageExpression evaluates to an empty string, a string with
6627 // only spaces, or a string
6628 // that contains line breaks, then the validation failure message
6629 // will also be produced as if the messageExpression field were
6630 // unset, and
6631 // the fact that messageExpression produced an empty string/string
6632 // with only spaces/string with line breaks will be logged.
6633 // messageExpression has access to all the same variables as the
6634 // `expression` except for 'authorizer' and
6635 // 'authorizer.requestResource'.
6636 // Example:
6637 // "object.x must be less than max ("+string(params.max)+")"
6638 "messageExpression"?: string
6639
6640 // Reason represents a machine-readable description of why this
6641 // validation failed.
6642 // If this is the first validation in the list to fail, this
6643 // reason, as well as the
6644 // corresponding HTTP response code, are used in the
6645 // HTTP response to the client.
6646 // The currently supported reasons are: "Unauthorized",
6647 // "Forbidden", "Invalid", "RequestEntityTooLarge".
6648 // If not set, StatusReasonInvalid is used in the response to the
6649 // client.
6650 "reason"?: string
6651 }]
6652
6653 // ParamKind is a tuple of Group Kind and Version.
6654 "paramKind"?: {
6655 // APIVersion is the API group version the resources belong to.
6656 // In format of "group/version".
6657 // Required.
6658 "apiVersion"?: string
6659
6660 // Kind is the API kind the resources belong to.
6661 // Required.
6662 "kind"?: string
6663 }
6664
6665 // ParamRef references a parameter resource.
6666 "paramRef"?: {
6667 // name is the name of the resource being referenced.
6668 //
6669 // One of `name` or `selector` must be set, but `name` and
6670 // `selector` are
6671 // mutually exclusive properties. If one is set, the other must be
6672 // unset.
6673 //
6674 // A single parameter used for all admission requests can be
6675 // configured
6676 // by setting the `name` field, leaving `selector` blank, and
6677 // setting namespace
6678 // if `paramKind` is namespace-scoped.
6679 "name"?: string
6680
6681 // namespace is the namespace of the referenced resource. Allows
6682 // limiting
6683 // the search for params to a specific namespace. Applies to both
6684 // `name` and
6685 // `selector` fields.
6686 //
6687 // A per-namespace parameter may be used by specifying a
6688 // namespace-scoped
6689 // `paramKind` in the policy and leaving this field empty.
6690 //
6691 // - If `paramKind` is cluster-scoped, this field MUST be unset.
6692 // Setting this
6693 // field results in a configuration error.
6694 //
6695 // - If `paramKind` is namespace-scoped, the namespace of the
6696 // object being
6697 // evaluated for admission will be used when this field is left
6698 // unset. Take
6699 // care that if this is left empty the binding must not match any
6700 // cluster-scoped
6701 // resources, which will result in an error.
6702 "namespace"?: string
6703
6704 // `parameterNotFoundAction` controls the behavior of the binding
6705 // when the resource
6706 // exists, and name or selector is valid, but there are no
6707 // parameters
6708 // matched by the binding. If the value is set to `Allow`, then no
6709 // matched parameters will be treated as successful validation by
6710 // the binding.
6711 // If set to `Deny`, then no matched parameters will be subject to
6712 // the
6713 // `failurePolicy` of the policy.
6714 //
6715 // Allowed values are `Allow` or `Deny`
6716 //
6717 // Required
6718 "parameterNotFoundAction"?: string
6719
6720 // selector can be used to match multiple param objects based on
6721 // their labels.
6722 // Supply selector: {} to match all resources of the ParamKind.
6723 //
6724 // If multiple params are found, they are all evaluated with the
6725 // policy expressions
6726 // and the results are ANDed together.
6727 //
6728 // One of `name` or `selector` must be set, but `name` and
6729 // `selector` are
6730 // mutually exclusive properties. If one is set, the other must be
6731 // unset.
6732 "selector"?: {
6733 // matchExpressions is a list of label selector requirements. The
6734 // requirements are ANDed.
6735 "matchExpressions"?: [...{
6736 // key is the label key that the selector applies to.
6737 "key"!: string
6738
6739 // operator represents a key's relationship to a set of values.
6740 // Valid operators are In, NotIn, Exists and DoesNotExist.
6741 "operator"!: string
6742
6743 // values is an array of string values. If the operator is In or
6744 // NotIn,
6745 // the values array must be non-empty. If the operator is Exists
6746 // or DoesNotExist,
6747 // the values array must be empty. This array is replaced during a
6748 // strategic
6749 // merge patch.
6750 "values"?: [...string]
6751 }]
6752
6753 // matchLabels is a map of {key,value} pairs. A single {key,value}
6754 // in the matchLabels
6755 // map is equivalent to an element of matchExpressions, whose key
6756 // field is "key", the
6757 // operator is "In", and the values array contains only "value".
6758 // The requirements are ANDed.
6759 "matchLabels"?: {
6760 [string]: string
6761 }
6762 }
6763 }
6764
6765 // Variables contain definitions of variables that can be used in
6766 // composition of other expressions.
6767 // Each variable is defined as a named CEL expression.
6768 // The variables defined here will be available under `variables`
6769 // in other expressions of the policy.
6770 "variables"?: [...{
6771 // Expression is the expression that will be evaluated as the
6772 // value of the variable.
6773 // The CEL expression has access to the same identifiers as the
6774 // CEL expressions in Validation.
6775 "expression"!: string
6776
6777 // Name is the name of the variable. The name must be a valid CEL
6778 // identifier and unique among all variables.
6779 // The variable can be accessed in other expressions through
6780 // `variables`
6781 // For example, if name is "foo", the variable will be available
6782 // as `variables.foo`
6783 "name"!: string
6784 }]
6785 }
6786
6787 // Deny defines conditions used to pass or fail a validation rule.
6788 "deny"?: {
6789 // Multiple conditions can be declared under an `any` or `all`
6790 // statement. A direct list
6791 // of conditions (without `any` or `all` statements) is also
6792 // supported for backwards compatibility
6793 // but will be deprecated in the next major release.
6794 // See:
6795 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
6796 "conditions"?: null | bool | number | string | [...] | {
6797 ...
6798 }
6799 }
6800
6801 // FailureAction defines if a validation policy rule violation
6802 // should block
6803 // the admission review request (Enforce), or allow (Audit) the
6804 // admission review request
6805 // and report an error in a policy report. Optional.
6806 // Allowed values are Audit or Enforce.
6807 "failureAction"?: "Audit" | "Enforce"
6808
6809 // FailureActionOverrides is a Cluster Policy attribute that
6810 // specifies FailureAction
6811 // namespace-wise. It overrides FailureAction for the specified
6812 // namespaces.
6813 "failureActionOverrides"?: [...{
6814 // ValidationFailureAction defines the policy validation failure
6815 // action
6816 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
6817
6818 // A label selector is a label query over a set of resources. The
6819 // result of matchLabels and
6820 // matchExpressions are ANDed. An empty label selector matches all
6821 // objects. A null
6822 // label selector matches no objects.
6823 "namespaceSelector"?: {
6824 // matchExpressions is a list of label selector requirements. The
6825 // requirements are ANDed.
6826 "matchExpressions"?: [...{
6827 // key is the label key that the selector applies to.
6828 "key"!: string
6829
6830 // operator represents a key's relationship to a set of values.
6831 // Valid operators are In, NotIn, Exists and DoesNotExist.
6832 "operator"!: string
6833
6834 // values is an array of string values. If the operator is In or
6835 // NotIn,
6836 // the values array must be non-empty. If the operator is Exists
6837 // or DoesNotExist,
6838 // the values array must be empty. This array is replaced during a
6839 // strategic
6840 // merge patch.
6841 "values"?: [...string]
6842 }]
6843
6844 // matchLabels is a map of {key,value} pairs. A single {key,value}
6845 // in the matchLabels
6846 // map is equivalent to an element of matchExpressions, whose key
6847 // field is "key", the
6848 // operator is "In", and the values array contains only "value".
6849 // The requirements are ANDed.
6850 "matchLabels"?: {
6851 [string]: string
6852 }
6853 }
6854 "namespaces"?: [...string]
6855 }]
6856
6857 // ForEach applies validate rules to a list of sub-elements by
6858 // creating a context for each entry in the list and looping over
6859 // it to apply the specified logic.
6860 "foreach"?: [...{
6861 // AnyPattern specifies list of validation patterns. At least one
6862 // of the patterns
6863 // must be satisfied for the validation rule to succeed.
6864 "anyPattern"?: null | bool | number | string | [...] | {
6865 ...
6866 }
6867
6868 // Context defines variables and data sources that can be used
6869 // during rule execution.
6870 "context"?: [...matchN(1, [{
6871 "configMap"!: _
6872 }, {
6873 "apiCall"!: _
6874 }, {
6875 "imageRegistry"!: _
6876 }, {
6877 "variable"!: _
6878 }, {
6879 "globalReference"!: _
6880 }]) & {
6881 // APICall is an HTTP request to the Kubernetes API server, or
6882 // other JSON web service.
6883 // The data returned is stored in the context with the name for
6884 // the context entry.
6885 "apiCall"?: {
6886 // The data object specifies the POST data sent to the server.
6887 // Only applicable when the method field is set to POST.
6888 "data"?: [...{
6889 // Key is a unique identifier for the data value
6890 "key"!: string
6891
6892 // Value is the data value
6893 "value"!: null | bool | number | string | [...] | {
6894 ...
6895 }
6896 }]
6897
6898 // Default is an optional arbitrary JSON object that the context
6899 // value is set to, if the apiCall returns error.
6900 "default"?: null | bool | number | string | [...] | {
6901 ...
6902 }
6903
6904 // JMESPath is an optional JSON Match Expression that can be used
6905 // to
6906 // transform the JSON response returned from the server. For
6907 // example
6908 // a JMESPath of "items | length(@)" applied to the API server
6909 // response
6910 // for the URLPath "/apis/apps/v1/deployments" will return the
6911 // total count
6912 // of deployments across all namespaces.
6913 "jmesPath"?: string
6914
6915 // Method is the HTTP request type (GET or POST). Defaults to GET.
6916 "method"?: "GET" | "POST"
6917
6918 // Service is an API call to a JSON web service.
6919 // This is used for non-Kubernetes API server calls.
6920 // It's mutually exclusive with the URLPath field.
6921 "service"?: {
6922 // CABundle is a PEM encoded CA bundle which will be used to
6923 // validate
6924 // the server certificate.
6925 "caBundle"?: string
6926
6927 // Headers is a list of optional HTTP headers to be included in
6928 // the request.
6929 "headers"?: [...{
6930 // Key is the header key
6931 "key"!: string
6932
6933 // Value is the header value
6934 "value"!: string
6935 }]
6936
6937 // URL is the JSON web service URL. A typical form is
6938 // `https://{service}.{namespace}:{port}/{path}`.
6939 "url"!: string
6940 }
6941
6942 // URLPath is the URL path to be used in the HTTP GET or POST
6943 // request to the
6944 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6945 // "/apis/apps/v1/deployments").
6946 // The format required is the same format used by the `kubectl get
6947 // --raw` command.
6948 // See
6949 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6950 // for details.
6951 // It's mutually exclusive with the Service field.
6952 "urlPath"?: string
6953 }
6954
6955 // ConfigMap is the ConfigMap reference.
6956 "configMap"?: {
6957 // Name is the ConfigMap name.
6958 "name"!: string
6959
6960 // Namespace is the ConfigMap namespace.
6961 "namespace"?: string
6962 }
6963
6964 // GlobalContextEntryReference is a reference to a cached global
6965 // context entry.
6966 "globalReference"?: {
6967 // JMESPath is an optional JSON Match Expression that can be used
6968 // to
6969 // transform the JSON response returned from the server. For
6970 // example
6971 // a JMESPath of "items | length(@)" applied to the API server
6972 // response
6973 // for the URLPath "/apis/apps/v1/deployments" will return the
6974 // total count
6975 // of deployments across all namespaces.
6976 "jmesPath"?: string
6977
6978 // Name of the global context entry
6979 "name"!: string
6980 }
6981
6982 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6983 // fetch image
6984 // details.
6985 "imageRegistry"?: {
6986 // ImageRegistryCredentials provides credentials that will be used
6987 // for authentication with registry
6988 "imageRegistryCredentials"?: {
6989 // AllowInsecureRegistry allows insecure access to a registry.
6990 "allowInsecureRegistry"?: bool
6991
6992 // Providers specifies a list of OCI Registry names, whose
6993 // authentication providers are provided.
6994 // It can be of one of these values:
6995 // default,google,azure,amazon,github.
6996 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6997
6998 // Secrets specifies a list of secrets that are provided for
6999 // credentials.
7000 // Secrets must live in the Kyverno namespace.
7001 "secrets"?: [...string]
7002 }
7003
7004 // JMESPath is an optional JSON Match Expression that can be used
7005 // to
7006 // transform the ImageData struct returned as a result of
7007 // processing
7008 // the image reference.
7009 "jmesPath"?: string
7010
7011 // Reference is image reference to a container image in the
7012 // registry.
7013 // Example: ghcr.io/kyverno/kyverno:latest
7014 "reference"!: string
7015 }
7016
7017 // Name is the variable name.
7018 "name"!: string
7019
7020 // Variable defines an arbitrary JMESPath context variable that
7021 // can be defined inline.
7022 "variable"?: {
7023 // Default is an optional arbitrary JSON object that the variable
7024 // may take if the JMESPath
7025 // expression evaluates to nil
7026 "default"?: null | bool | number | string | [...] | {
7027 ...
7028 }
7029
7030 // JMESPath is an optional JMESPath Expression that can be used to
7031 // transform the variable.
7032 "jmesPath"?: string
7033
7034 // Value is any arbitrary JSON object representable in YAML or
7035 // JSON form.
7036 "value"?: null | bool | number | string | [...] | {
7037 ...
7038 }
7039 }
7040 }]
7041
7042 // Deny defines conditions used to pass or fail a validation rule.
7043 "deny"?: {
7044 // Multiple conditions can be declared under an `any` or `all`
7045 // statement. A direct list
7046 // of conditions (without `any` or `all` statements) is also
7047 // supported for backwards compatibility
7048 // but will be deprecated in the next major release.
7049 // See:
7050 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
7051 "conditions"?: null | bool | number | string | [...] | {
7052 ...
7053 }
7054 }
7055
7056 // ElementScope specifies whether to use the current list element
7057 // as the scope for validation. Defaults to "true" if not
7058 // specified.
7059 // When set to "false", "request.object" is used as the validation
7060 // scope within the foreach
7061 // block to allow referencing other elements in the subtree.
7062 "elementScope"?: bool
7063
7064 // Foreach declares a nested foreach iterator
7065 "foreach"?: null | bool | number | string | [...] | {
7066 ...
7067 }
7068
7069 // List specifies a JMESPath expression that results in one or
7070 // more elements
7071 // to which the validation logic is applied.
7072 "list"?: string
7073
7074 // Pattern specifies an overlay-style pattern used to check
7075 // resources.
7076 "pattern"?: null | bool | number | string | [...] | {
7077 ...
7078 }
7079
7080 // AnyAllConditions are used to determine if a policy rule should
7081 // be applied by evaluating a
7082 // set of conditions. The declaration can contain nested `any` or
7083 // `all` statements.
7084 // See: https://kyverno.io/docs/writing-policies/preconditions/
7085 "preconditions"?: {
7086 // AllConditions enable variable-based conditional rule execution.
7087 // This is useful for
7088 // finer control of when an rule is applied. A condition can
7089 // reference object data
7090 // using JMESPath notation.
7091 // Here, all of the conditions need to pass
7092 "all"?: [...{
7093 // Key is the context entry (using JMESPath) for conditional rule
7094 // evaluation.
7095 "key"?: null | bool | number | string | [...] | {
7096 ...
7097 }
7098
7099 // Message is an optional display message
7100 "message"?: string
7101
7102 // Operator is the conditional operation to perform. Valid
7103 // operators are:
7104 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7105 // GreaterThanOrEquals,
7106 // GreaterThan, LessThanOrEquals, LessThan,
7107 // DurationGreaterThanOrEquals, DurationGreaterThan,
7108 // DurationLessThanOrEquals, DurationLessThan
7109 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7110
7111 // Value is the conditional value, or set of values. The values
7112 // can be fixed set
7113 // or can be variables declared using JMESPath.
7114 "value"?: null | bool | number | string | [...] | {
7115 ...
7116 }
7117 }]
7118
7119 // AnyConditions enable variable-based conditional rule execution.
7120 // This is useful for
7121 // finer control of when an rule is applied. A condition can
7122 // reference object data
7123 // using JMESPath notation.
7124 // Here, at least one of the conditions need to pass
7125 "any"?: [...{
7126 // Key is the context entry (using JMESPath) for conditional rule
7127 // evaluation.
7128 "key"?: null | bool | number | string | [...] | {
7129 ...
7130 }
7131
7132 // Message is an optional display message
7133 "message"?: string
7134
7135 // Operator is the conditional operation to perform. Valid
7136 // operators are:
7137 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7138 // GreaterThanOrEquals,
7139 // GreaterThan, LessThanOrEquals, LessThan,
7140 // DurationGreaterThanOrEquals, DurationGreaterThan,
7141 // DurationLessThanOrEquals, DurationLessThan
7142 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7143
7144 // Value is the conditional value, or set of values. The values
7145 // can be fixed set
7146 // or can be variables declared using JMESPath.
7147 "value"?: null | bool | number | string | [...] | {
7148 ...
7149 }
7150 }]
7151 ...
7152 }
7153 }]
7154
7155 // Manifest specifies conditions for manifest verification
7156 "manifests"?: {
7157 // AnnotationDomain is custom domain of annotation for message and
7158 // signature. Default is "cosign.sigstore.dev".
7159 "annotationDomain"?: string
7160
7161 // Attestors specified the required attestors (i.e. authorities)
7162 "attestors"?: [...{
7163 // Count specifies the required number of entries that must match.
7164 // If the count is null, all entries must match
7165 // (a logical AND). If the count is 1, at least one entry must
7166 // match (a logical OR). If the count contains a
7167 // value N, then N must be less than or equal to the size of
7168 // entries, and at least N entries must match.
7169 "count"?: int & >=1
7170
7171 // Entries contains the available attestors. An attestor can be a
7172 // static key,
7173 // attributes for keyless verification, or a nested attestor
7174 // declaration.
7175 "entries"?: [...{
7176 // Annotations are used for image verification.
7177 // Every specified key-value pair must exist and match in the
7178 // verified payload.
7179 // The payload may contain other key-value pairs.
7180 "annotations"?: [string]: string
7181
7182 // Attestor is a nested set of Attestor used to specify a more
7183 // complex set of match authorities.
7184 "attestor"?: null | bool | number | string | [...] | {
7185 ...
7186 }
7187
7188 // Certificates specifies one or more certificates.
7189 "certificates"?: {
7190 // Cert is an optional PEM-encoded public certificate.
7191 "cert"?: string
7192
7193 // CertChain is an optional PEM encoded set of certificates used
7194 // to verify.
7195 "certChain"?: string
7196
7197 // CTLog (certificate timestamp log) provides a configuration for
7198 // validation of Signed Certificate
7199 // Timestamps (SCTs). If the value is unset, the default behavior
7200 // by Cosign is used.
7201 "ctlog"?: {
7202 // IgnoreSCT defines whether to use the Signed Certificate
7203 // Timestamp (SCT) log to check for a certificate
7204 // timestamp. Default is false. Set to true if this was opted out
7205 // during signing.
7206 "ignoreSCT"?: bool
7207
7208 // PubKey, if set, is used to validate SCTs against a custom
7209 // source.
7210 "pubkey"?: string
7211
7212 // TSACertChain, if set, is the PEM-encoded certificate chain file
7213 // for the RFC3161 timestamp authority. Must
7214 // contain the root CA certificate. Optionally may contain
7215 // intermediate CA certificates, and
7216 // may contain the leaf TSA certificate if not present in the
7217 // timestamurce.
7218 "tsaCertChain"?: string
7219 }
7220
7221 // Rekor provides configuration for the Rekor transparency log
7222 // service. If an empty object
7223 // is provided the public instance of Rekor
7224 // (https://rekor.sigstore.dev) is used.
7225 "rekor"?: {
7226 // IgnoreTlog skips transparency log verification.
7227 "ignoreTlog"?: bool
7228
7229 // RekorPubKey is an optional PEM-encoded public key to use for a
7230 // custom Rekor.
7231 // If set, this will be used to validate transparency log
7232 // signatures from a custom Rekor.
7233 "pubkey"?: string
7234
7235 // URL is the address of the transparency log. Defaults to the
7236 // public Rekor log instance https://rekor.sigstore.dev.
7237 "url"?: string
7238 }
7239 }
7240
7241 // Keyless is a set of attribute used to verify a Sigstore keyless
7242 // attestor.
7243 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7244 "keyless"?: {
7245 // AdditionalExtensions are certificate-extensions used for
7246 // keyless signing.
7247 "additionalExtensions"?: [string]: string
7248
7249 // CTLog (certificate timestamp log) provides a configuration for
7250 // validation of Signed Certificate
7251 // Timestamps (SCTs). If the value is unset, the default behavior
7252 // by Cosign is used.
7253 "ctlog"?: {
7254 // IgnoreSCT defines whether to use the Signed Certificate
7255 // Timestamp (SCT) log to check for a certificate
7256 // timestamp. Default is false. Set to true if this was opted out
7257 // during signing.
7258 "ignoreSCT"?: bool
7259
7260 // PubKey, if set, is used to validate SCTs against a custom
7261 // source.
7262 "pubkey"?: string
7263
7264 // TSACertChain, if set, is the PEM-encoded certificate chain file
7265 // for the RFC3161 timestamp authority. Must
7266 // contain the root CA certificate. Optionally may contain
7267 // intermediate CA certificates, and
7268 // may contain the leaf TSA certificate if not present in the
7269 // timestamurce.
7270 "tsaCertChain"?: string
7271 }
7272
7273 // Issuer is the certificate issuer used for keyless signing.
7274 "issuer"?: string
7275
7276 // IssuerRegExp is the regular expression to match certificate
7277 // issuer used for keyless signing.
7278 "issuerRegExp"?: string
7279
7280 // Rekor provides configuration for the Rekor transparency log
7281 // service. If an empty object
7282 // is provided the public instance of Rekor
7283 // (https://rekor.sigstore.dev) is used.
7284 "rekor"?: {
7285 // IgnoreTlog skips transparency log verification.
7286 "ignoreTlog"?: bool
7287
7288 // RekorPubKey is an optional PEM-encoded public key to use for a
7289 // custom Rekor.
7290 // If set, this will be used to validate transparency log
7291 // signatures from a custom Rekor.
7292 "pubkey"?: string
7293
7294 // URL is the address of the transparency log. Defaults to the
7295 // public Rekor log instance https://rekor.sigstore.dev.
7296 "url"?: string
7297 }
7298
7299 // Roots is an optional set of PEM encoded trusted root
7300 // certificates.
7301 // If not provided, the system roots are used.
7302 "roots"?: string
7303
7304 // Subject is the verified identity used for keyless signing, for
7305 // example the email address.
7306 "subject"?: string
7307
7308 // SubjectRegExp is the regular expression to match identity used
7309 // for keyless signing, for example the email address.
7310 "subjectRegExp"?: string
7311 }
7312
7313 // Keys specifies one or more public keys.
7314 "keys"?: {
7315 // CTLog (certificate timestamp log) provides a configuration for
7316 // validation of Signed Certificate
7317 // Timestamps (SCTs). If the value is unset, the default behavior
7318 // by Cosign is used.
7319 "ctlog"?: {
7320 // IgnoreSCT defines whether to use the Signed Certificate
7321 // Timestamp (SCT) log to check for a certificate
7322 // timestamp. Default is false. Set to true if this was opted out
7323 // during signing.
7324 "ignoreSCT"?: bool
7325
7326 // PubKey, if set, is used to validate SCTs against a custom
7327 // source.
7328 "pubkey"?: string
7329
7330 // TSACertChain, if set, is the PEM-encoded certificate chain file
7331 // for the RFC3161 timestamp authority. Must
7332 // contain the root CA certificate. Optionally may contain
7333 // intermediate CA certificates, and
7334 // may contain the leaf TSA certificate if not present in the
7335 // timestamurce.
7336 "tsaCertChain"?: string
7337 }
7338
7339 // KMS provides the URI to the public key stored in a Key
7340 // Management System. See:
7341 // https://github.com/sigstore/cosign/blob/main/KMS.md
7342 "kms"?: string
7343
7344 // Keys is a set of X.509 public keys used to verify image
7345 // signatures. The keys can be directly
7346 // specified or can be a variable reference to a key specified in
7347 // a ConfigMap (see
7348 // https://kyverno.io/docs/writing-policies/variables/), or
7349 // reference a standard Kubernetes Secret
7350 // elsewhere in the cluster by specifying it in the format
7351 // "k8s://<namespace>/<secret_name>".
7352 // The named Secret must specify a key `cosign.pub` containing the
7353 // public key used for
7354 // verification, (see
7355 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7356 // When multiple keys are specified each key is processed as a
7357 // separate staticKey entry
7358 // (.attestors[*].entries.keys) within the set of attestors and
7359 // the count is applied across the keys.
7360 "publicKeys"?: string
7361
7362 // Rekor provides configuration for the Rekor transparency log
7363 // service. If an empty object
7364 // is provided the public instance of Rekor
7365 // (https://rekor.sigstore.dev) is used.
7366 "rekor"?: {
7367 // IgnoreTlog skips transparency log verification.
7368 "ignoreTlog"?: bool
7369
7370 // RekorPubKey is an optional PEM-encoded public key to use for a
7371 // custom Rekor.
7372 // If set, this will be used to validate transparency log
7373 // signatures from a custom Rekor.
7374 "pubkey"?: string
7375
7376 // URL is the address of the transparency log. Defaults to the
7377 // public Rekor log instance https://rekor.sigstore.dev.
7378 "url"?: string
7379 }
7380
7381 // Reference to a Secret resource that contains a public key
7382 "secret"?: {
7383 // Name of the secret. The provided secret must contain a key
7384 // named cosign.pub.
7385 "name"!: string
7386
7387 // Namespace name where the Secret exists.
7388 "namespace"!: string
7389 }
7390
7391 // Deprecated. Use attestor.signatureAlgorithm instead.
7392 "signatureAlgorithm"?: string
7393 }
7394
7395 // Repository is an optional alternate OCI repository to use for
7396 // signatures and attestations that match this rule.
7397 // If specified Repository will override other OCI image
7398 // repository locations for this Attestor.
7399 "repository"?: string
7400
7401 // Specify signature algorithm for public keys. Supported values
7402 // are sha224, sha256, sha384 and sha512.
7403 "signatureAlgorithm"?: string
7404 }]
7405 }]
7406
7407 // DryRun configuration
7408 "dryRun"?: {
7409 "enable"?: bool
7410 "namespace"?: string
7411 }
7412
7413 // Fields which will be ignored while comparing manifests.
7414 "ignoreFields"?: [...{
7415 "fields"?: [...string]
7416 "objects"?: [...{
7417 "group"?: string
7418 "kind"?: string
7419 "name"?: string
7420 "namespace"?: string
7421 "version"?: string
7422 }]
7423 }]
7424
7425 // Repository is an optional alternate OCI repository to use for
7426 // resource bundle reference.
7427 // The repository can be overridden per Attestor or Attestation.
7428 "repository"?: string
7429 }
7430
7431 // Message specifies a custom message to be displayed on failure.
7432 "message"?: string
7433
7434 // Pattern specifies an overlay-style pattern used to check
7435 // resources.
7436 "pattern"?: null | bool | number | string | [...] | {
7437 ...
7438 }
7439
7440 // PodSecurity applies exemptions for Kubernetes Pod Security
7441 // admission
7442 // by specifying exclusions for Pod Security Standards controls.
7443 "podSecurity"?: {
7444 // Exclude specifies the Pod Security Standard controls to be
7445 // excluded.
7446 "exclude"?: [...{
7447 // ControlName specifies the name of the Pod Security Standard
7448 // control.
7449 // See:
7450 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
7451 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7452
7453 // Images selects matching containers and applies the container
7454 // level PSS.
7455 // Each image is the image name consisting of the registry
7456 // address, repository, image, and tag.
7457 // Empty list matches no containers, PSS checks are applied at the
7458 // pod level only.
7459 // Wildcards ('*' and '?') are allowed. See:
7460 // https://kubernetes.io/docs/concepts/containers/images.
7461 "images"?: [...string]
7462
7463 // RestrictedField selects the field for the given Pod Security
7464 // Standard control.
7465 // When not set, all restricted fields for the control are
7466 // selected.
7467 "restrictedField"?: string
7468
7469 // Values defines the allowed values that can be excluded.
7470 "values"?: [...string]
7471 }]
7472
7473 // Level defines the Pod Security Standard level to be applied to
7474 // workloads.
7475 // Allowed values are privileged, baseline, and restricted.
7476 "level"?: "privileged" | "baseline" | "restricted"
7477
7478 // Version defines the Pod Security Standard versions that
7479 // Kubernetes supports.
7480 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7481 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7482 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7483 }
7484 }
7485
7486 // VerifyImages is used to verify image signatures and mutate them
7487 // to add a digest
7488 "verifyImages"?: [...{
7489 // Deprecated.
7490 "additionalExtensions"?: [string]: string
7491
7492 // Deprecated. Use annotations per Attestor instead.
7493 "annotations"?: {
7494 [string]: string
7495 }
7496
7497 // Attestations are optional checks for signed in-toto Statements
7498 // used to verify the image.
7499 // See https://github.com/in-toto/attestation. Kyverno fetches
7500 // signed attestations from the
7501 // OCI registry and decodes them into a list of Statement
7502 // declarations.
7503 "attestations"?: [...{
7504 // Attestors specify the required attestors (i.e. authorities).
7505 "attestors"?: [...{
7506 // Count specifies the required number of entries that must match.
7507 // If the count is null, all entries must match
7508 // (a logical AND). If the count is 1, at least one entry must
7509 // match (a logical OR). If the count contains a
7510 // value N, then N must be less than or equal to the size of
7511 // entries, and at least N entries must match.
7512 "count"?: int & >=1
7513
7514 // Entries contains the available attestors. An attestor can be a
7515 // static key,
7516 // attributes for keyless verification, or a nested attestor
7517 // declaration.
7518 "entries"?: [...{
7519 // Annotations are used for image verification.
7520 // Every specified key-value pair must exist and match in the
7521 // verified payload.
7522 // The payload may contain other key-value pairs.
7523 "annotations"?: [string]: string
7524
7525 // Attestor is a nested set of Attestor used to specify a more
7526 // complex set of match authorities.
7527 "attestor"?: null | bool | number | string | [...] | {
7528 ...
7529 }
7530
7531 // Certificates specifies one or more certificates.
7532 "certificates"?: {
7533 // Cert is an optional PEM-encoded public certificate.
7534 "cert"?: string
7535
7536 // CertChain is an optional PEM encoded set of certificates used
7537 // to verify.
7538 "certChain"?: string
7539
7540 // CTLog (certificate timestamp log) provides a configuration for
7541 // validation of Signed Certificate
7542 // Timestamps (SCTs). If the value is unset, the default behavior
7543 // by Cosign is used.
7544 "ctlog"?: {
7545 // IgnoreSCT defines whether to use the Signed Certificate
7546 // Timestamp (SCT) log to check for a certificate
7547 // timestamp. Default is false. Set to true if this was opted out
7548 // during signing.
7549 "ignoreSCT"?: bool
7550
7551 // PubKey, if set, is used to validate SCTs against a custom
7552 // source.
7553 "pubkey"?: string
7554
7555 // TSACertChain, if set, is the PEM-encoded certificate chain file
7556 // for the RFC3161 timestamp authority. Must
7557 // contain the root CA certificate. Optionally may contain
7558 // intermediate CA certificates, and
7559 // may contain the leaf TSA certificate if not present in the
7560 // timestamurce.
7561 "tsaCertChain"?: string
7562 }
7563
7564 // Rekor provides configuration for the Rekor transparency log
7565 // service. If an empty object
7566 // is provided the public instance of Rekor
7567 // (https://rekor.sigstore.dev) is used.
7568 "rekor"?: {
7569 // IgnoreTlog skips transparency log verification.
7570 "ignoreTlog"?: bool
7571
7572 // RekorPubKey is an optional PEM-encoded public key to use for a
7573 // custom Rekor.
7574 // If set, this will be used to validate transparency log
7575 // signatures from a custom Rekor.
7576 "pubkey"?: string
7577
7578 // URL is the address of the transparency log. Defaults to the
7579 // public Rekor log instance https://rekor.sigstore.dev.
7580 "url"?: string
7581 }
7582 }
7583
7584 // Keyless is a set of attribute used to verify a Sigstore keyless
7585 // attestor.
7586 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7587 "keyless"?: {
7588 // AdditionalExtensions are certificate-extensions used for
7589 // keyless signing.
7590 "additionalExtensions"?: [string]: string
7591
7592 // CTLog (certificate timestamp log) provides a configuration for
7593 // validation of Signed Certificate
7594 // Timestamps (SCTs). If the value is unset, the default behavior
7595 // by Cosign is used.
7596 "ctlog"?: {
7597 // IgnoreSCT defines whether to use the Signed Certificate
7598 // Timestamp (SCT) log to check for a certificate
7599 // timestamp. Default is false. Set to true if this was opted out
7600 // during signing.
7601 "ignoreSCT"?: bool
7602
7603 // PubKey, if set, is used to validate SCTs against a custom
7604 // source.
7605 "pubkey"?: string
7606
7607 // TSACertChain, if set, is the PEM-encoded certificate chain file
7608 // for the RFC3161 timestamp authority. Must
7609 // contain the root CA certificate. Optionally may contain
7610 // intermediate CA certificates, and
7611 // may contain the leaf TSA certificate if not present in the
7612 // timestamurce.
7613 "tsaCertChain"?: string
7614 }
7615
7616 // Issuer is the certificate issuer used for keyless signing.
7617 "issuer"?: string
7618
7619 // IssuerRegExp is the regular expression to match certificate
7620 // issuer used for keyless signing.
7621 "issuerRegExp"?: string
7622
7623 // Rekor provides configuration for the Rekor transparency log
7624 // service. If an empty object
7625 // is provided the public instance of Rekor
7626 // (https://rekor.sigstore.dev) is used.
7627 "rekor"?: {
7628 // IgnoreTlog skips transparency log verification.
7629 "ignoreTlog"?: bool
7630
7631 // RekorPubKey is an optional PEM-encoded public key to use for a
7632 // custom Rekor.
7633 // If set, this will be used to validate transparency log
7634 // signatures from a custom Rekor.
7635 "pubkey"?: string
7636
7637 // URL is the address of the transparency log. Defaults to the
7638 // public Rekor log instance https://rekor.sigstore.dev.
7639 "url"?: string
7640 }
7641
7642 // Roots is an optional set of PEM encoded trusted root
7643 // certificates.
7644 // If not provided, the system roots are used.
7645 "roots"?: string
7646
7647 // Subject is the verified identity used for keyless signing, for
7648 // example the email address.
7649 "subject"?: string
7650
7651 // SubjectRegExp is the regular expression to match identity used
7652 // for keyless signing, for example the email address.
7653 "subjectRegExp"?: string
7654 }
7655
7656 // Keys specifies one or more public keys.
7657 "keys"?: {
7658 // CTLog (certificate timestamp log) provides a configuration for
7659 // validation of Signed Certificate
7660 // Timestamps (SCTs). If the value is unset, the default behavior
7661 // by Cosign is used.
7662 "ctlog"?: {
7663 // IgnoreSCT defines whether to use the Signed Certificate
7664 // Timestamp (SCT) log to check for a certificate
7665 // timestamp. Default is false. Set to true if this was opted out
7666 // during signing.
7667 "ignoreSCT"?: bool
7668
7669 // PubKey, if set, is used to validate SCTs against a custom
7670 // source.
7671 "pubkey"?: string
7672
7673 // TSACertChain, if set, is the PEM-encoded certificate chain file
7674 // for the RFC3161 timestamp authority. Must
7675 // contain the root CA certificate. Optionally may contain
7676 // intermediate CA certificates, and
7677 // may contain the leaf TSA certificate if not present in the
7678 // timestamurce.
7679 "tsaCertChain"?: string
7680 }
7681
7682 // KMS provides the URI to the public key stored in a Key
7683 // Management System. See:
7684 // https://github.com/sigstore/cosign/blob/main/KMS.md
7685 "kms"?: string
7686
7687 // Keys is a set of X.509 public keys used to verify image
7688 // signatures. The keys can be directly
7689 // specified or can be a variable reference to a key specified in
7690 // a ConfigMap (see
7691 // https://kyverno.io/docs/writing-policies/variables/), or
7692 // reference a standard Kubernetes Secret
7693 // elsewhere in the cluster by specifying it in the format
7694 // "k8s://<namespace>/<secret_name>".
7695 // The named Secret must specify a key `cosign.pub` containing the
7696 // public key used for
7697 // verification, (see
7698 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7699 // When multiple keys are specified each key is processed as a
7700 // separate staticKey entry
7701 // (.attestors[*].entries.keys) within the set of attestors and
7702 // the count is applied across the keys.
7703 "publicKeys"?: string
7704
7705 // Rekor provides configuration for the Rekor transparency log
7706 // service. If an empty object
7707 // is provided the public instance of Rekor
7708 // (https://rekor.sigstore.dev) is used.
7709 "rekor"?: {
7710 // IgnoreTlog skips transparency log verification.
7711 "ignoreTlog"?: bool
7712
7713 // RekorPubKey is an optional PEM-encoded public key to use for a
7714 // custom Rekor.
7715 // If set, this will be used to validate transparency log
7716 // signatures from a custom Rekor.
7717 "pubkey"?: string
7718
7719 // URL is the address of the transparency log. Defaults to the
7720 // public Rekor log instance https://rekor.sigstore.dev.
7721 "url"?: string
7722 }
7723
7724 // Reference to a Secret resource that contains a public key
7725 "secret"?: {
7726 // Name of the secret. The provided secret must contain a key
7727 // named cosign.pub.
7728 "name"!: string
7729
7730 // Namespace name where the Secret exists.
7731 "namespace"!: string
7732 }
7733
7734 // Deprecated. Use attestor.signatureAlgorithm instead.
7735 "signatureAlgorithm"?: string
7736 }
7737
7738 // Repository is an optional alternate OCI repository to use for
7739 // signatures and attestations that match this rule.
7740 // If specified Repository will override other OCI image
7741 // repository locations for this Attestor.
7742 "repository"?: string
7743
7744 // Specify signature algorithm for public keys. Supported values
7745 // are sha224, sha256, sha384 and sha512.
7746 "signatureAlgorithm"?: string
7747 }]
7748 }]
7749
7750 // Conditions are used to verify attributes within a Predicate. If
7751 // no Conditions are specified
7752 // the attestation check is satisfied as long there are predicates
7753 // that match the predicate type.
7754 "conditions"?: [...{
7755 // AllConditions enable variable-based conditional rule execution.
7756 // This is useful for
7757 // finer control of when an rule is applied. A condition can
7758 // reference object data
7759 // using JMESPath notation.
7760 // Here, all of the conditions need to pass
7761 "all"?: [...{
7762 // Key is the context entry (using JMESPath) for conditional rule
7763 // evaluation.
7764 "key"?: null | bool | number | string | [...] | {
7765 ...
7766 }
7767
7768 // Message is an optional display message
7769 "message"?: string
7770
7771 // Operator is the conditional operation to perform. Valid
7772 // operators are:
7773 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7774 // GreaterThanOrEquals,
7775 // GreaterThan, LessThanOrEquals, LessThan,
7776 // DurationGreaterThanOrEquals, DurationGreaterThan,
7777 // DurationLessThanOrEquals, DurationLessThan
7778 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7779
7780 // Value is the conditional value, or set of values. The values
7781 // can be fixed set
7782 // or can be variables declared using JMESPath.
7783 "value"?: null | bool | number | string | [...] | {
7784 ...
7785 }
7786 }]
7787
7788 // AnyConditions enable variable-based conditional rule execution.
7789 // This is useful for
7790 // finer control of when an rule is applied. A condition can
7791 // reference object data
7792 // using JMESPath notation.
7793 // Here, at least one of the conditions need to pass
7794 "any"?: [...{
7795 // Key is the context entry (using JMESPath) for conditional rule
7796 // evaluation.
7797 "key"?: null | bool | number | string | [...] | {
7798 ...
7799 }
7800
7801 // Message is an optional display message
7802 "message"?: string
7803
7804 // Operator is the conditional operation to perform. Valid
7805 // operators are:
7806 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7807 // GreaterThanOrEquals,
7808 // GreaterThan, LessThanOrEquals, LessThan,
7809 // DurationGreaterThanOrEquals, DurationGreaterThan,
7810 // DurationLessThanOrEquals, DurationLessThan
7811 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7812
7813 // Value is the conditional value, or set of values. The values
7814 // can be fixed set
7815 // or can be variables declared using JMESPath.
7816 "value"?: null | bool | number | string | [...] | {
7817 ...
7818 }
7819 }]
7820 }]
7821
7822 // Name is the variable name.
7823 "name"?: string
7824
7825 // Deprecated in favour of 'Type', to be removed soon
7826 "predicateType"?: string
7827
7828 // Type defines the type of attestation contained within the
7829 // Statement.
7830 "type"?: string
7831 }]
7832
7833 // Attestors specified the required attestors (i.e. authorities)
7834 "attestors"?: [...{
7835 // Count specifies the required number of entries that must match.
7836 // If the count is null, all entries must match
7837 // (a logical AND). If the count is 1, at least one entry must
7838 // match (a logical OR). If the count contains a
7839 // value N, then N must be less than or equal to the size of
7840 // entries, and at least N entries must match.
7841 "count"?: int & >=1
7842
7843 // Entries contains the available attestors. An attestor can be a
7844 // static key,
7845 // attributes for keyless verification, or a nested attestor
7846 // declaration.
7847 "entries"?: [...{
7848 // Annotations are used for image verification.
7849 // Every specified key-value pair must exist and match in the
7850 // verified payload.
7851 // The payload may contain other key-value pairs.
7852 "annotations"?: [string]: string
7853
7854 // Attestor is a nested set of Attestor used to specify a more
7855 // complex set of match authorities.
7856 "attestor"?: null | bool | number | string | [...] | {
7857 ...
7858 }
7859
7860 // Certificates specifies one or more certificates.
7861 "certificates"?: {
7862 // Cert is an optional PEM-encoded public certificate.
7863 "cert"?: string
7864
7865 // CertChain is an optional PEM encoded set of certificates used
7866 // to verify.
7867 "certChain"?: string
7868
7869 // CTLog (certificate timestamp log) provides a configuration for
7870 // validation of Signed Certificate
7871 // Timestamps (SCTs). If the value is unset, the default behavior
7872 // by Cosign is used.
7873 "ctlog"?: {
7874 // IgnoreSCT defines whether to use the Signed Certificate
7875 // Timestamp (SCT) log to check for a certificate
7876 // timestamp. Default is false. Set to true if this was opted out
7877 // during signing.
7878 "ignoreSCT"?: bool
7879
7880 // PubKey, if set, is used to validate SCTs against a custom
7881 // source.
7882 "pubkey"?: string
7883
7884 // TSACertChain, if set, is the PEM-encoded certificate chain file
7885 // for the RFC3161 timestamp authority. Must
7886 // contain the root CA certificate. Optionally may contain
7887 // intermediate CA certificates, and
7888 // may contain the leaf TSA certificate if not present in the
7889 // timestamurce.
7890 "tsaCertChain"?: string
7891 }
7892
7893 // Rekor provides configuration for the Rekor transparency log
7894 // service. If an empty object
7895 // is provided the public instance of Rekor
7896 // (https://rekor.sigstore.dev) is used.
7897 "rekor"?: {
7898 // IgnoreTlog skips transparency log verification.
7899 "ignoreTlog"?: bool
7900
7901 // RekorPubKey is an optional PEM-encoded public key to use for a
7902 // custom Rekor.
7903 // If set, this will be used to validate transparency log
7904 // signatures from a custom Rekor.
7905 "pubkey"?: string
7906
7907 // URL is the address of the transparency log. Defaults to the
7908 // public Rekor log instance https://rekor.sigstore.dev.
7909 "url"?: string
7910 }
7911 }
7912
7913 // Keyless is a set of attribute used to verify a Sigstore keyless
7914 // attestor.
7915 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7916 "keyless"?: {
7917 // AdditionalExtensions are certificate-extensions used for
7918 // keyless signing.
7919 "additionalExtensions"?: [string]: string
7920
7921 // CTLog (certificate timestamp log) provides a configuration for
7922 // validation of Signed Certificate
7923 // Timestamps (SCTs). If the value is unset, the default behavior
7924 // by Cosign is used.
7925 "ctlog"?: {
7926 // IgnoreSCT defines whether to use the Signed Certificate
7927 // Timestamp (SCT) log to check for a certificate
7928 // timestamp. Default is false. Set to true if this was opted out
7929 // during signing.
7930 "ignoreSCT"?: bool
7931
7932 // PubKey, if set, is used to validate SCTs against a custom
7933 // source.
7934 "pubkey"?: string
7935
7936 // TSACertChain, if set, is the PEM-encoded certificate chain file
7937 // for the RFC3161 timestamp authority. Must
7938 // contain the root CA certificate. Optionally may contain
7939 // intermediate CA certificates, and
7940 // may contain the leaf TSA certificate if not present in the
7941 // timestamurce.
7942 "tsaCertChain"?: string
7943 }
7944
7945 // Issuer is the certificate issuer used for keyless signing.
7946 "issuer"?: string
7947
7948 // IssuerRegExp is the regular expression to match certificate
7949 // issuer used for keyless signing.
7950 "issuerRegExp"?: string
7951
7952 // Rekor provides configuration for the Rekor transparency log
7953 // service. If an empty object
7954 // is provided the public instance of Rekor
7955 // (https://rekor.sigstore.dev) is used.
7956 "rekor"?: {
7957 // IgnoreTlog skips transparency log verification.
7958 "ignoreTlog"?: bool
7959
7960 // RekorPubKey is an optional PEM-encoded public key to use for a
7961 // custom Rekor.
7962 // If set, this will be used to validate transparency log
7963 // signatures from a custom Rekor.
7964 "pubkey"?: string
7965
7966 // URL is the address of the transparency log. Defaults to the
7967 // public Rekor log instance https://rekor.sigstore.dev.
7968 "url"?: string
7969 }
7970
7971 // Roots is an optional set of PEM encoded trusted root
7972 // certificates.
7973 // If not provided, the system roots are used.
7974 "roots"?: string
7975
7976 // Subject is the verified identity used for keyless signing, for
7977 // example the email address.
7978 "subject"?: string
7979
7980 // SubjectRegExp is the regular expression to match identity used
7981 // for keyless signing, for example the email address.
7982 "subjectRegExp"?: string
7983 }
7984
7985 // Keys specifies one or more public keys.
7986 "keys"?: {
7987 // CTLog (certificate timestamp log) provides a configuration for
7988 // validation of Signed Certificate
7989 // Timestamps (SCTs). If the value is unset, the default behavior
7990 // by Cosign is used.
7991 "ctlog"?: {
7992 // IgnoreSCT defines whether to use the Signed Certificate
7993 // Timestamp (SCT) log to check for a certificate
7994 // timestamp. Default is false. Set to true if this was opted out
7995 // during signing.
7996 "ignoreSCT"?: bool
7997
7998 // PubKey, if set, is used to validate SCTs against a custom
7999 // source.
8000 "pubkey"?: string
8001
8002 // TSACertChain, if set, is the PEM-encoded certificate chain file
8003 // for the RFC3161 timestamp authority. Must
8004 // contain the root CA certificate. Optionally may contain
8005 // intermediate CA certificates, and
8006 // may contain the leaf TSA certificate if not present in the
8007 // timestamurce.
8008 "tsaCertChain"?: string
8009 }
8010
8011 // KMS provides the URI to the public key stored in a Key
8012 // Management System. See:
8013 // https://github.com/sigstore/cosign/blob/main/KMS.md
8014 "kms"?: string
8015
8016 // Keys is a set of X.509 public keys used to verify image
8017 // signatures. The keys can be directly
8018 // specified or can be a variable reference to a key specified in
8019 // a ConfigMap (see
8020 // https://kyverno.io/docs/writing-policies/variables/), or
8021 // reference a standard Kubernetes Secret
8022 // elsewhere in the cluster by specifying it in the format
8023 // "k8s://<namespace>/<secret_name>".
8024 // The named Secret must specify a key `cosign.pub` containing the
8025 // public key used for
8026 // verification, (see
8027 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
8028 // When multiple keys are specified each key is processed as a
8029 // separate staticKey entry
8030 // (.attestors[*].entries.keys) within the set of attestors and
8031 // the count is applied across the keys.
8032 "publicKeys"?: string
8033
8034 // Rekor provides configuration for the Rekor transparency log
8035 // service. If an empty object
8036 // is provided the public instance of Rekor
8037 // (https://rekor.sigstore.dev) is used.
8038 "rekor"?: {
8039 // IgnoreTlog skips transparency log verification.
8040 "ignoreTlog"?: bool
8041
8042 // RekorPubKey is an optional PEM-encoded public key to use for a
8043 // custom Rekor.
8044 // If set, this will be used to validate transparency log
8045 // signatures from a custom Rekor.
8046 "pubkey"?: string
8047
8048 // URL is the address of the transparency log. Defaults to the
8049 // public Rekor log instance https://rekor.sigstore.dev.
8050 "url"?: string
8051 }
8052
8053 // Reference to a Secret resource that contains a public key
8054 "secret"?: {
8055 // Name of the secret. The provided secret must contain a key
8056 // named cosign.pub.
8057 "name"!: string
8058
8059 // Namespace name where the Secret exists.
8060 "namespace"!: string
8061 }
8062
8063 // Deprecated. Use attestor.signatureAlgorithm instead.
8064 "signatureAlgorithm"?: string
8065 }
8066
8067 // Repository is an optional alternate OCI repository to use for
8068 // signatures and attestations that match this rule.
8069 // If specified Repository will override other OCI image
8070 // repository locations for this Attestor.
8071 "repository"?: string
8072
8073 // Specify signature algorithm for public keys. Supported values
8074 // are sha224, sha256, sha384 and sha512.
8075 "signatureAlgorithm"?: string
8076 }]
8077 }]
8078
8079 // CosignOCI11 enables the experimental OCI 1.1 behaviour in
8080 // cosign image verification.
8081 // Defaults to false.
8082 "cosignOCI11"?: bool
8083
8084 // Allowed values are Audit or Enforce.
8085 "failureAction"?: "Audit" | "Enforce"
8086
8087 // Deprecated. Use ImageReferences instead.
8088 "image"?: string
8089
8090 // ImageReferences is a list of matching image reference patterns.
8091 // At least one pattern in the
8092 // list must match the image for the rule to apply. Each image
8093 // reference consists of a registry
8094 // address (defaults to docker.io), repository, image, and tag
8095 // (defaults to latest).
8096 // Wildcards ('*' and '?') are allowed. See:
8097 // https://kubernetes.io/docs/concepts/containers/images.
8098 "imageReferences"?: [...string]
8099
8100 // ImageRegistryCredentials provides credentials that will be used
8101 // for authentication with registry.
8102 "imageRegistryCredentials"?: {
8103 // AllowInsecureRegistry allows insecure access to a registry.
8104 "allowInsecureRegistry"?: bool
8105
8106 // Providers specifies a list of OCI Registry names, whose
8107 // authentication providers are provided.
8108 // It can be of one of these values:
8109 // default,google,azure,amazon,github.
8110 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
8111
8112 // Secrets specifies a list of secrets that are provided for
8113 // credentials.
8114 // Secrets must live in the Kyverno namespace.
8115 "secrets"?: [...string]
8116 }
8117
8118 // Deprecated. Use KeylessAttestor instead.
8119 "issuer"?: string
8120
8121 // Deprecated. Use StaticKeyAttestor instead.
8122 "key"?: string
8123
8124 // MutateDigest enables replacement of image tags with digests.
8125 // Defaults to true.
8126 "mutateDigest"?: bool
8127
8128 // Repository is an optional alternate OCI repository to use for
8129 // image signatures and attestations that match this rule.
8130 // If specified Repository will override the default OCI image
8131 // repository configured for the installation.
8132 // The repository can also be overridden per Attestor or
8133 // Attestation.
8134 "repository"?: string
8135
8136 // Required validates that images are verified i.e. have matched
8137 // passed a signature or attestation check.
8138 "required"?: bool
8139
8140 // Deprecated. Use KeylessAttestor instead.
8141 "roots"?: string
8142
8143 // SkipImageReferences is a list of matching image reference
8144 // patterns that should be skipped.
8145 // At least one pattern in the list must match the image for the
8146 // rule to be skipped. Each image reference
8147 // consists of a registry address (defaults to docker.io),
8148 // repository, image, and tag (defaults to latest).
8149 // Wildcards ('*' and '?') are allowed. See:
8150 // https://kubernetes.io/docs/concepts/containers/images.
8151 "skipImageReferences"?: [...string]
8152
8153 // Deprecated. Use KeylessAttestor instead.
8154 "subject"?: string
8155
8156 // Type specifies the method of signature validation. The allowed
8157 // options
8158 // are Cosign, Sigstore Bundle and Notary. By default Cosign is
8159 // used if a type is not specified.
8160 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
8161
8162 // UseCache enables caching of image verify responses for this
8163 // rule.
8164 "useCache"?: bool
8165
8166 // Validation checks conditions across multiple image
8167 // verification attestations or context entries
8168 "validate"?: {
8169 // Deny defines conditions used to pass or fail a validation rule.
8170 "deny"?: {
8171 // Multiple conditions can be declared under an `any` or `all`
8172 // statement. A direct list
8173 // of conditions (without `any` or `all` statements) is also
8174 // supported for backwards compatibility
8175 // but will be deprecated in the next major release.
8176 // See:
8177 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
8178 "conditions"?: null | bool | number | string | [...] | {
8179 ...
8180 }
8181 }
8182
8183 // Message specifies a custom message to be displayed on failure.
8184 "message"?: string
8185 }
8186
8187 // VerifyDigest validates that images have a digest.
8188 "verifyDigest"?: bool
8189 }]
8190 }]
8191 }
8192 "conditions"?: [...{
8193 // lastTransitionTime is the last time the condition transitioned
8194 // from one status to another.
8195 // This should be when the underlying condition changed. If that
8196 // is not known, then using the time when the API field changed
8197 // is acceptable.
8198 "lastTransitionTime"!: time.Time
8199
8200 // message is a human readable message indicating details about
8201 // the transition.
8202 // This may be an empty string.
8203 "message"!: strings.MaxRunes(
8204 32768)
8205
8206 // observedGeneration represents the .metadata.generation that the
8207 // condition was set based upon.
8208 // For instance, if .metadata.generation is currently 12, but the
8209 // .status.conditions[x].observedGeneration is 9, the condition
8210 // is out of date
8211 // with respect to the current state of the instance.
8212 "observedGeneration"?: int64 & int & >=0
8213
8214 // reason contains a programmatic identifier indicating the reason
8215 // for the condition's last transition.
8216 // Producers of specific condition types may define expected
8217 // values and meanings for this field,
8218 // and whether the values are considered a guaranteed API.
8219 // The value should be a CamelCase string.
8220 // This field may not be empty.
8221 "reason"!: strings.MaxRunes(
8222 1024) & strings.MinRunes(
8223 1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
8224
8225 // status of the condition, one of True, False, Unknown.
8226 "status"!: "True" | "False" | "Unknown"
8227
8228 // type of condition in CamelCase or in foo.example.com/CamelCase.
8229 "type"!: strings.MaxRunes(
8230 316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
8231 }]
8232
8233 // Deprecated in favor of Conditions
8234 "ready"?: bool
8235
8236 // RuleCountStatus contains four variables which describes counts
8237 // for
8238 // validate, generate, mutate and verify images rules
8239 "rulecount"?: {
8240 // Count for generate rules in policy
8241 "generate"!: int
8242
8243 // Count for mutate rules in policy
8244 "mutate"!: int
8245
8246 // Count for validate rules in policy
8247 "validate"!: int
8248
8249 // Count for verify image rules in policy
8250 "verifyimages"!: int
8251 }
8252
8253 // ValidatingAdmissionPolicy contains status information
8254 "validatingadmissionpolicy"?: {
8255 // Generated indicates whether a validating admission policy is
8256 // generated from the policy or not
8257 "generated"!: bool
8258
8259 // Message is a human readable message indicating details about
8260 // the generation of validating admission policy
8261 // It is an empty string when validating admission policy is
8262 // successfully generated.
8263 "message"!: string
8264 }
8265 }
8266
8267 _embeddedResource: {
8268 "apiVersion"!: string
8269 "kind"!: string
8270 "metadata"?: {
8271 ...
8272 }
8273 }
8274 apiVersion: "kyverno.io/v1"
8275 kind: "ClusterPolicy"
8276 metadata!: {
8277 "name"!: string
8278 "namespace"?: string
8279 "labels"?: {
8280 [string]: string
8281 }
8282 "annotations"?: {
8283 [string]: string
8284 }
8285 ...
8286 }
8287}