1package v2beta1
2
3import (
4 "strings"
5 "time"
6)
7
8// ClusterPolicy declares validation, mutation, and generation
9// behaviors for matching resources.
10#ClusterPolicy: {
11 _embeddedResource
12
13 // APIVersion defines the versioned schema of this representation
14 // of an object.
15 // Servers should convert recognized schemas to the latest
16 // internal value, and
17 // may reject unrecognized values.
18 // More info:
19 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
20 "apiVersion"?: string
21
22 // Kind is a string value representing the REST resource this
23 // object represents.
24 // Servers may infer this from the endpoint the client submits
25 // requests to.
26 // Cannot be updated.
27 // In CamelCase.
28 // More info:
29 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
30 "kind"?: string
31 "metadata"?: {}
32
33 // Spec declares policy behaviors.
34 "spec"!: {
35 // Admission controls if rules are applied during admission.
36 // Optional. Default value is "true".
37 "admission"?: bool
38
39 // ApplyRules controls how rules in a policy are applied. Rule are
40 // processed in
41 // the order of declaration. When set to `One` processing stops
42 // after a rule has
43 // been applied i.e. the rule matches and results in a pass, fail,
44 // or error. When
45 // set to `All` all rules in the policy are processed. The default
46 // is `All`.
47 "applyRules"?: "All" | "One"
48
49 // Background controls if rules are applied to existing resources
50 // during a background scan.
51 // Optional. Default value is "true". The value must be set to
52 // "false" if the policy rule
53 // uses variables that are only available in the admission review
54 // request (e.g. user name).
55 "background"?: bool
56
57 // EmitWarning enables API response warnings for mutate policy
58 // rules or validate policy rules with validationFailureAction
59 // set to Audit.
60 // Enabling this option will extend admission request processing
61 // times. The default value is "false".
62 "emitWarning"?: bool
63
64 // Deprecated, use failurePolicy under the webhookConfiguration
65 // instead.
66 "failurePolicy"?: "Ignore" | "Fail"
67
68 // Deprecated, use generateExisting under the generate rule
69 // instead
70 "generateExisting"?: bool
71
72 // Deprecated, use generateExisting instead
73 "generateExistingOnPolicyUpdate"?: bool
74
75 // Deprecated, use mutateExistingOnPolicyUpdate under the mutate
76 // rule instead
77 "mutateExistingOnPolicyUpdate"?: bool
78
79 // Rules is a list of Rule instances. A Policy contains multiple
80 // rules and
81 // each rule can validate, mutate, or generate resources.
82 "rules"?: [...{
83 // CELPreconditions are used to determine if a policy rule should
84 // be applied by evaluating a
85 // set of CEL conditions. It can only be used with the
86 // validate.cel subrule
87 "celPreconditions"?: [...{
88 // Expression represents the expression which will be evaluated by
89 // CEL. Must evaluate to bool.
90 // CEL expressions have access to the contents of the
91 // AdmissionRequest and Authorizer, organized into CEL variables:
92 //
93 // 'object' - The object from the incoming request. The value is
94 // null for DELETE requests.
95 // 'oldObject' - The existing object. The value is null for CREATE
96 // requests.
97 // 'request' - Attributes of the admission
98 // request(/pkg/apis/admission/types.go#AdmissionRequest).
99 // 'authorizer' - A CEL Authorizer. May be used to perform
100 // authorization checks for the principal (user or service
101 // account) of the request.
102 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
103 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
104 // from the 'authorizer' and configured with the
105 // request resource.
106 // Documentation on CEL:
107 // https://kubernetes.io/docs/reference/using-api/cel/
108 //
109 // Required.
110 "expression"!: string
111
112 // Name is an identifier for this match condition, used for
113 // strategic merging of MatchConditions,
114 // as well as providing an identifier for logging purposes. A good
115 // name should be descriptive of
116 // the associated expression.
117 // Name must be a qualified name consisting of alphanumeric
118 // characters, '-', '_' or '.', and
119 // must start and end with an alphanumeric character (e.g.
120 // 'MyName', or 'my.name', or
121 // '123-abc', regex used for validation is
122 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
123 // optional DNS subdomain prefix and '/' (e.g.
124 // 'example.com/MyName')
125 //
126 // Required.
127 "name"!: string
128 }]
129
130 // Context defines variables and data sources that can be used
131 // during rule execution.
132 "context"?: [...matchN(1, [{
133 "configMap"!: _
134 }, {
135 "apiCall"!: _
136 }, {
137 "imageRegistry"!: _
138 }, {
139 "variable"!: _
140 }, {
141 "globalReference"!: _
142 }]) & {
143 // APICall is an HTTP request to the Kubernetes API server, or
144 // other JSON web service.
145 // The data returned is stored in the context with the name for
146 // the context entry.
147 "apiCall"?: {
148 // The data object specifies the POST data sent to the server.
149 // Only applicable when the method field is set to POST.
150 "data"?: [...{
151 // Key is a unique identifier for the data value
152 "key"!: string
153
154 // Value is the data value
155 "value"!: null | bool | number | string | [...] | {
156 ...
157 }
158 }]
159
160 // Default is an optional arbitrary JSON object that the context
161 // value is set to, if the apiCall returns error.
162 "default"?: null | bool | number | string | [...] | {
163 ...
164 }
165
166 // JMESPath is an optional JSON Match Expression that can be used
167 // to
168 // transform the JSON response returned from the server. For
169 // example
170 // a JMESPath of "items | length(@)" applied to the API server
171 // response
172 // for the URLPath "/apis/apps/v1/deployments" will return the
173 // total count
174 // of deployments across all namespaces.
175 "jmesPath"?: string
176
177 // Method is the HTTP request type (GET or POST). Defaults to GET.
178 "method"?: "GET" | "POST"
179
180 // Service is an API call to a JSON web service.
181 // This is used for non-Kubernetes API server calls.
182 // It's mutually exclusive with the URLPath field.
183 "service"?: {
184 // CABundle is a PEM encoded CA bundle which will be used to
185 // validate
186 // the server certificate.
187 "caBundle"?: string
188
189 // Headers is a list of optional HTTP headers to be included in
190 // the request.
191 "headers"?: [...{
192 // Key is the header key
193 "key"!: string
194
195 // Value is the header value
196 "value"!: string
197 }]
198
199 // URL is the JSON web service URL. A typical form is
200 // `https://{service}.{namespace}:{port}/{path}`.
201 "url"!: string
202 }
203
204 // URLPath is the URL path to be used in the HTTP GET or POST
205 // request to the
206 // Kubernetes API server (e.g. "/api/v1/namespaces" or
207 // "/apis/apps/v1/deployments").
208 // The format required is the same format used by the `kubectl get
209 // --raw` command.
210 // See
211 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
212 // for details.
213 // It's mutually exclusive with the Service field.
214 "urlPath"?: string
215 }
216
217 // ConfigMap is the ConfigMap reference.
218 "configMap"?: {
219 // Name is the ConfigMap name.
220 "name"!: string
221
222 // Namespace is the ConfigMap namespace.
223 "namespace"?: string
224 }
225
226 // GlobalContextEntryReference is a reference to a cached global
227 // context entry.
228 "globalReference"?: {
229 // JMESPath is an optional JSON Match Expression that can be used
230 // to
231 // transform the JSON response returned from the server. For
232 // example
233 // a JMESPath of "items | length(@)" applied to the API server
234 // response
235 // for the URLPath "/apis/apps/v1/deployments" will return the
236 // total count
237 // of deployments across all namespaces.
238 "jmesPath"?: string
239
240 // Name of the global context entry
241 "name"!: string
242 }
243
244 // ImageRegistry defines requests to an OCI/Docker V2 registry to
245 // fetch image
246 // details.
247 "imageRegistry"?: {
248 // ImageRegistryCredentials provides credentials that will be used
249 // for authentication with registry
250 "imageRegistryCredentials"?: {
251 // AllowInsecureRegistry allows insecure access to a registry.
252 "allowInsecureRegistry"?: bool
253
254 // Providers specifies a list of OCI Registry names, whose
255 // authentication providers are provided.
256 // It can be of one of these values:
257 // default,google,azure,amazon,github.
258 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
259
260 // Secrets specifies a list of secrets that are provided for
261 // credentials.
262 // Secrets must live in the Kyverno namespace.
263 "secrets"?: [...string]
264 }
265
266 // JMESPath is an optional JSON Match Expression that can be used
267 // to
268 // transform the ImageData struct returned as a result of
269 // processing
270 // the image reference.
271 "jmesPath"?: string
272
273 // Reference is image reference to a container image in the
274 // registry.
275 // Example: ghcr.io/kyverno/kyverno:latest
276 "reference"!: string
277 }
278
279 // Name is the variable name.
280 "name"!: string
281
282 // Variable defines an arbitrary JMESPath context variable that
283 // can be defined inline.
284 "variable"?: {
285 // Default is an optional arbitrary JSON object that the variable
286 // may take if the JMESPath
287 // expression evaluates to nil
288 "default"?: null | bool | number | string | [...] | {
289 ...
290 }
291
292 // JMESPath is an optional JMESPath Expression that can be used to
293 // transform the variable.
294 "jmesPath"?: string
295
296 // Value is any arbitrary JSON object representable in YAML or
297 // JSON form.
298 "value"?: null | bool | number | string | [...] | {
299 ...
300 }
301 }
302 }]
303
304 // ExcludeResources defines when this policy rule should not be
305 // applied. The exclude
306 // criteria can include resource information (e.g. kind, name,
307 // namespace, labels)
308 // and admission review request information like the name or role.
309 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
310 "any"!: _
311 "all"!: _
312 }]) & {
313 // All allows specifying resources which will be ANDed
314 "all"?: [...{
315 // ClusterRoles is the list of cluster-wide role names for the
316 // user.
317 "clusterRoles"?: [...string]
318
319 // ResourceDescription contains information about the resource
320 // being created or modified.
321 "resources"?: matchN(0, [null | bool | number | string | [...] | {
322 "name"!: _
323 "names"!: _
324 }]) & {
325 // Annotations is a map of annotations (key-value pairs of type
326 // string). Annotation keys
327 // and values support the wildcard characters "*" (matches zero or
328 // many characters) and
329 // "?" (matches at least one character).
330 "annotations"?: [string]: string
331
332 // Kinds is a list of resource kinds.
333 "kinds"?: [...string]
334
335 // Name is the name of the resource. The name supports wildcard
336 // characters
337 // "*" (matches zero or many characters) and "?" (at least one
338 // character).
339 // NOTE: "Name" is being deprecated in favor of "Names".
340 "name"?: string
341
342 // Names are the names of the resources. Each name supports
343 // wildcard characters
344 // "*" (matches zero or many characters) and "?" (at least one
345 // character).
346 "names"?: [...string]
347
348 // NamespaceSelector is a label selector for the resource
349 // namespace. Label keys and values
350 // in `matchLabels` support the wildcard characters `*` (matches
351 // zero or many characters)
352 // and `?` (matches one character).Wildcards allows writing label
353 // selectors like
354 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
355 // any key and value but
356 // does not match an empty label set.
357 "namespaceSelector"?: {
358 // matchExpressions is a list of label selector requirements. The
359 // requirements are ANDed.
360 "matchExpressions"?: [...{
361 // key is the label key that the selector applies to.
362 "key"!: string
363
364 // operator represents a key's relationship to a set of values.
365 // Valid operators are In, NotIn, Exists and DoesNotExist.
366 "operator"!: string
367
368 // values is an array of string values. If the operator is In or
369 // NotIn,
370 // the values array must be non-empty. If the operator is Exists
371 // or DoesNotExist,
372 // the values array must be empty. This array is replaced during a
373 // strategic
374 // merge patch.
375 "values"?: [...string]
376 }]
377
378 // matchLabels is a map of {key,value} pairs. A single {key,value}
379 // in the matchLabels
380 // map is equivalent to an element of matchExpressions, whose key
381 // field is "key", the
382 // operator is "In", and the values array contains only "value".
383 // The requirements are ANDed.
384 "matchLabels"?: {
385 [string]: string
386 }
387 }
388
389 // Namespaces is a list of namespaces names. Each name supports
390 // wildcard characters
391 // "*" (matches zero or many characters) and "?" (at least one
392 // character).
393 "namespaces"?: [...string]
394
395 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
396 // "DELETE"], which are used to match a specific action.
397 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
398
399 // Selector is a label selector. Label keys and values in
400 // `matchLabels` support the wildcard
401 // characters `*` (matches zero or many characters) and `?`
402 // (matches one character).
403 // Wildcards allows writing label selectors like
404 // ["storage.k8s.io/*": "*"]. Note that
405 // using ["*" : "*"] matches any key and value but does not match
406 // an empty label set.
407 "selector"?: {
408 // matchExpressions is a list of label selector requirements. The
409 // requirements are ANDed.
410 "matchExpressions"?: [...{
411 // key is the label key that the selector applies to.
412 "key"!: string
413
414 // operator represents a key's relationship to a set of values.
415 // Valid operators are In, NotIn, Exists and DoesNotExist.
416 "operator"!: string
417
418 // values is an array of string values. If the operator is In or
419 // NotIn,
420 // the values array must be non-empty. If the operator is Exists
421 // or DoesNotExist,
422 // the values array must be empty. This array is replaced during a
423 // strategic
424 // merge patch.
425 "values"?: [...string]
426 }]
427
428 // matchLabels is a map of {key,value} pairs. A single {key,value}
429 // in the matchLabels
430 // map is equivalent to an element of matchExpressions, whose key
431 // field is "key", the
432 // operator is "In", and the values array contains only "value".
433 // The requirements are ANDed.
434 "matchLabels"?: {
435 [string]: string
436 }
437 }
438 }
439
440 // Roles is the list of namespaced role names for the user.
441 "roles"?: [...string]
442
443 // Subjects is the list of subject names like users, user groups,
444 // and service accounts.
445 "subjects"?: [...{
446 // APIGroup holds the API group of the referenced subject.
447 // Defaults to "" for ServiceAccount subjects.
448 // Defaults to "rbac.authorization.k8s.io" for User and Group
449 // subjects.
450 "apiGroup"?: string
451
452 // Kind of object being referenced. Values defined by this API
453 // group are "User", "Group", and "ServiceAccount".
454 // If the Authorizer does not recognized the kind value, the
455 // Authorizer should report an error.
456 "kind"!: string
457
458 // Name of the object being referenced.
459 "name"!: string
460
461 // Namespace of the referenced object. If the object kind is
462 // non-namespace, such as "User" or "Group", and this value is
463 // not empty
464 // the Authorizer should report an error.
465 "namespace"?: string
466 }]
467 }]
468
469 // Any allows specifying resources which will be ORed
470 "any"?: [...{
471 // ClusterRoles is the list of cluster-wide role names for the
472 // user.
473 "clusterRoles"?: [...string]
474
475 // ResourceDescription contains information about the resource
476 // being created or modified.
477 "resources"?: matchN(0, [null | bool | number | string | [...] | {
478 "name"!: _
479 "names"!: _
480 }]) & {
481 // Annotations is a map of annotations (key-value pairs of type
482 // string). Annotation keys
483 // and values support the wildcard characters "*" (matches zero or
484 // many characters) and
485 // "?" (matches at least one character).
486 "annotations"?: [string]: string
487
488 // Kinds is a list of resource kinds.
489 "kinds"?: [...string]
490
491 // Name is the name of the resource. The name supports wildcard
492 // characters
493 // "*" (matches zero or many characters) and "?" (at least one
494 // character).
495 // NOTE: "Name" is being deprecated in favor of "Names".
496 "name"?: string
497
498 // Names are the names of the resources. Each name supports
499 // wildcard characters
500 // "*" (matches zero or many characters) and "?" (at least one
501 // character).
502 "names"?: [...string]
503
504 // NamespaceSelector is a label selector for the resource
505 // namespace. Label keys and values
506 // in `matchLabels` support the wildcard characters `*` (matches
507 // zero or many characters)
508 // and `?` (matches one character).Wildcards allows writing label
509 // selectors like
510 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
511 // any key and value but
512 // does not match an empty label set.
513 "namespaceSelector"?: {
514 // matchExpressions is a list of label selector requirements. The
515 // requirements are ANDed.
516 "matchExpressions"?: [...{
517 // key is the label key that the selector applies to.
518 "key"!: string
519
520 // operator represents a key's relationship to a set of values.
521 // Valid operators are In, NotIn, Exists and DoesNotExist.
522 "operator"!: string
523
524 // values is an array of string values. If the operator is In or
525 // NotIn,
526 // the values array must be non-empty. If the operator is Exists
527 // or DoesNotExist,
528 // the values array must be empty. This array is replaced during a
529 // strategic
530 // merge patch.
531 "values"?: [...string]
532 }]
533
534 // matchLabels is a map of {key,value} pairs. A single {key,value}
535 // in the matchLabels
536 // map is equivalent to an element of matchExpressions, whose key
537 // field is "key", the
538 // operator is "In", and the values array contains only "value".
539 // The requirements are ANDed.
540 "matchLabels"?: {
541 [string]: string
542 }
543 }
544
545 // Namespaces is a list of namespaces names. Each name supports
546 // wildcard characters
547 // "*" (matches zero or many characters) and "?" (at least one
548 // character).
549 "namespaces"?: [...string]
550
551 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
552 // "DELETE"], which are used to match a specific action.
553 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
554
555 // Selector is a label selector. Label keys and values in
556 // `matchLabels` support the wildcard
557 // characters `*` (matches zero or many characters) and `?`
558 // (matches one character).
559 // Wildcards allows writing label selectors like
560 // ["storage.k8s.io/*": "*"]. Note that
561 // using ["*" : "*"] matches any key and value but does not match
562 // an empty label set.
563 "selector"?: {
564 // matchExpressions is a list of label selector requirements. The
565 // requirements are ANDed.
566 "matchExpressions"?: [...{
567 // key is the label key that the selector applies to.
568 "key"!: string
569
570 // operator represents a key's relationship to a set of values.
571 // Valid operators are In, NotIn, Exists and DoesNotExist.
572 "operator"!: string
573
574 // values is an array of string values. If the operator is In or
575 // NotIn,
576 // the values array must be non-empty. If the operator is Exists
577 // or DoesNotExist,
578 // the values array must be empty. This array is replaced during a
579 // strategic
580 // merge patch.
581 "values"?: [...string]
582 }]
583
584 // matchLabels is a map of {key,value} pairs. A single {key,value}
585 // in the matchLabels
586 // map is equivalent to an element of matchExpressions, whose key
587 // field is "key", the
588 // operator is "In", and the values array contains only "value".
589 // The requirements are ANDed.
590 "matchLabels"?: {
591 [string]: string
592 }
593 }
594 }
595
596 // Roles is the list of namespaced role names for the user.
597 "roles"?: [...string]
598
599 // Subjects is the list of subject names like users, user groups,
600 // and service accounts.
601 "subjects"?: [...{
602 // APIGroup holds the API group of the referenced subject.
603 // Defaults to "" for ServiceAccount subjects.
604 // Defaults to "rbac.authorization.k8s.io" for User and Group
605 // subjects.
606 "apiGroup"?: string
607
608 // Kind of object being referenced. Values defined by this API
609 // group are "User", "Group", and "ServiceAccount".
610 // If the Authorizer does not recognized the kind value, the
611 // Authorizer should report an error.
612 "kind"!: string
613
614 // Name of the object being referenced.
615 "name"!: string
616
617 // Namespace of the referenced object. If the object kind is
618 // non-namespace, such as "User" or "Group", and this value is
619 // not empty
620 // the Authorizer should report an error.
621 "namespace"?: string
622 }]
623 }]
624 }
625
626 // Generation is used to create new resources.
627 "generate"?: {
628 // APIVersion specifies resource apiVersion.
629 "apiVersion"?: string
630
631 // Clone specifies the source resource used to populate each
632 // generated resource.
633 // At most one of Data or Clone can be specified. If neither are
634 // provided, the generated
635 // resource will be created with default data only.
636 "clone"?: {
637 // Name specifies name of the resource.
638 "name"?: string
639
640 // Namespace specifies source resource namespace.
641 "namespace"?: string
642 }
643
644 // CloneList specifies the list of source resource used to
645 // populate each generated resource.
646 "cloneList"?: {
647 // Kinds is a list of resource kinds.
648 "kinds"?: [...string]
649
650 // Namespace specifies source resource namespace.
651 "namespace"?: string
652
653 // Selector is a label selector. Label keys and values in
654 // `matchLabels`.
655 // wildcard characters are not supported.
656 "selector"?: {
657 // matchExpressions is a list of label selector requirements. The
658 // requirements are ANDed.
659 "matchExpressions"?: [...{
660 // key is the label key that the selector applies to.
661 "key"!: string
662
663 // operator represents a key's relationship to a set of values.
664 // Valid operators are In, NotIn, Exists and DoesNotExist.
665 "operator"!: string
666
667 // values is an array of string values. If the operator is In or
668 // NotIn,
669 // the values array must be non-empty. If the operator is Exists
670 // or DoesNotExist,
671 // the values array must be empty. This array is replaced during a
672 // strategic
673 // merge patch.
674 "values"?: [...string]
675 }]
676
677 // matchLabels is a map of {key,value} pairs. A single {key,value}
678 // in the matchLabels
679 // map is equivalent to an element of matchExpressions, whose key
680 // field is "key", the
681 // operator is "In", and the values array contains only "value".
682 // The requirements are ANDed.
683 "matchLabels"?: {
684 [string]: string
685 }
686 }
687 }
688
689 // Data provides the resource declaration used to populate each
690 // generated resource.
691 // At most one of Data or Clone must be specified. If neither are
692 // provided, the generated
693 // resource will be created with default data only.
694 "data"?: null | bool | number | string | [...] | {
695 ...
696 }
697
698 // ForEach applies generate rules to a list of sub-elements by
699 // creating a context for each entry in the list and looping over
700 // it to apply the specified logic.
701 "foreach"?: [...{
702 // APIVersion specifies resource apiVersion.
703 "apiVersion"?: string
704
705 // Clone specifies the source resource used to populate each
706 // generated resource.
707 // At most one of Data or Clone can be specified. If neither are
708 // provided, the generated
709 // resource will be created with default data only.
710 "clone"?: {
711 // Name specifies name of the resource.
712 "name"?: string
713
714 // Namespace specifies source resource namespace.
715 "namespace"?: string
716 }
717
718 // CloneList specifies the list of source resource used to
719 // populate each generated resource.
720 "cloneList"?: {
721 // Kinds is a list of resource kinds.
722 "kinds"?: [...string]
723
724 // Namespace specifies source resource namespace.
725 "namespace"?: string
726
727 // Selector is a label selector. Label keys and values in
728 // `matchLabels`.
729 // wildcard characters are not supported.
730 "selector"?: {
731 // matchExpressions is a list of label selector requirements. The
732 // requirements are ANDed.
733 "matchExpressions"?: [...{
734 // key is the label key that the selector applies to.
735 "key"!: string
736
737 // operator represents a key's relationship to a set of values.
738 // Valid operators are In, NotIn, Exists and DoesNotExist.
739 "operator"!: string
740
741 // values is an array of string values. If the operator is In or
742 // NotIn,
743 // the values array must be non-empty. If the operator is Exists
744 // or DoesNotExist,
745 // the values array must be empty. This array is replaced during a
746 // strategic
747 // merge patch.
748 "values"?: [...string]
749 }]
750
751 // matchLabels is a map of {key,value} pairs. A single {key,value}
752 // in the matchLabels
753 // map is equivalent to an element of matchExpressions, whose key
754 // field is "key", the
755 // operator is "In", and the values array contains only "value".
756 // The requirements are ANDed.
757 "matchLabels"?: {
758 [string]: string
759 }
760 }
761 }
762
763 // Context defines variables and data sources that can be used
764 // during rule execution.
765 "context"?: [...matchN(1, [{
766 "configMap"!: _
767 }, {
768 "apiCall"!: _
769 }, {
770 "imageRegistry"!: _
771 }, {
772 "variable"!: _
773 }, {
774 "globalReference"!: _
775 }]) & {
776 // APICall is an HTTP request to the Kubernetes API server, or
777 // other JSON web service.
778 // The data returned is stored in the context with the name for
779 // the context entry.
780 "apiCall"?: {
781 // The data object specifies the POST data sent to the server.
782 // Only applicable when the method field is set to POST.
783 "data"?: [...{
784 // Key is a unique identifier for the data value
785 "key"!: string
786
787 // Value is the data value
788 "value"!: null | bool | number | string | [...] | {
789 ...
790 }
791 }]
792
793 // Default is an optional arbitrary JSON object that the context
794 // value is set to, if the apiCall returns error.
795 "default"?: null | bool | number | string | [...] | {
796 ...
797 }
798
799 // JMESPath is an optional JSON Match Expression that can be used
800 // to
801 // transform the JSON response returned from the server. For
802 // example
803 // a JMESPath of "items | length(@)" applied to the API server
804 // response
805 // for the URLPath "/apis/apps/v1/deployments" will return the
806 // total count
807 // of deployments across all namespaces.
808 "jmesPath"?: string
809
810 // Method is the HTTP request type (GET or POST). Defaults to GET.
811 "method"?: "GET" | "POST"
812
813 // Service is an API call to a JSON web service.
814 // This is used for non-Kubernetes API server calls.
815 // It's mutually exclusive with the URLPath field.
816 "service"?: {
817 // CABundle is a PEM encoded CA bundle which will be used to
818 // validate
819 // the server certificate.
820 "caBundle"?: string
821
822 // Headers is a list of optional HTTP headers to be included in
823 // the request.
824 "headers"?: [...{
825 // Key is the header key
826 "key"!: string
827
828 // Value is the header value
829 "value"!: string
830 }]
831
832 // URL is the JSON web service URL. A typical form is
833 // `https://{service}.{namespace}:{port}/{path}`.
834 "url"!: string
835 }
836
837 // URLPath is the URL path to be used in the HTTP GET or POST
838 // request to the
839 // Kubernetes API server (e.g. "/api/v1/namespaces" or
840 // "/apis/apps/v1/deployments").
841 // The format required is the same format used by the `kubectl get
842 // --raw` command.
843 // See
844 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
845 // for details.
846 // It's mutually exclusive with the Service field.
847 "urlPath"?: string
848 }
849
850 // ConfigMap is the ConfigMap reference.
851 "configMap"?: {
852 // Name is the ConfigMap name.
853 "name"!: string
854
855 // Namespace is the ConfigMap namespace.
856 "namespace"?: string
857 }
858
859 // GlobalContextEntryReference is a reference to a cached global
860 // context entry.
861 "globalReference"?: {
862 // JMESPath is an optional JSON Match Expression that can be used
863 // to
864 // transform the JSON response returned from the server. For
865 // example
866 // a JMESPath of "items | length(@)" applied to the API server
867 // response
868 // for the URLPath "/apis/apps/v1/deployments" will return the
869 // total count
870 // of deployments across all namespaces.
871 "jmesPath"?: string
872
873 // Name of the global context entry
874 "name"!: string
875 }
876
877 // ImageRegistry defines requests to an OCI/Docker V2 registry to
878 // fetch image
879 // details.
880 "imageRegistry"?: {
881 // ImageRegistryCredentials provides credentials that will be used
882 // for authentication with registry
883 "imageRegistryCredentials"?: {
884 // AllowInsecureRegistry allows insecure access to a registry.
885 "allowInsecureRegistry"?: bool
886
887 // Providers specifies a list of OCI Registry names, whose
888 // authentication providers are provided.
889 // It can be of one of these values:
890 // default,google,azure,amazon,github.
891 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
892
893 // Secrets specifies a list of secrets that are provided for
894 // credentials.
895 // Secrets must live in the Kyverno namespace.
896 "secrets"?: [...string]
897 }
898
899 // JMESPath is an optional JSON Match Expression that can be used
900 // to
901 // transform the ImageData struct returned as a result of
902 // processing
903 // the image reference.
904 "jmesPath"?: string
905
906 // Reference is image reference to a container image in the
907 // registry.
908 // Example: ghcr.io/kyverno/kyverno:latest
909 "reference"!: string
910 }
911
912 // Name is the variable name.
913 "name"!: string
914
915 // Variable defines an arbitrary JMESPath context variable that
916 // can be defined inline.
917 "variable"?: {
918 // Default is an optional arbitrary JSON object that the variable
919 // may take if the JMESPath
920 // expression evaluates to nil
921 "default"?: null | bool | number | string | [...] | {
922 ...
923 }
924
925 // JMESPath is an optional JMESPath Expression that can be used to
926 // transform the variable.
927 "jmesPath"?: string
928
929 // Value is any arbitrary JSON object representable in YAML or
930 // JSON form.
931 "value"?: null | bool | number | string | [...] | {
932 ...
933 }
934 }
935 }]
936
937 // Data provides the resource declaration used to populate each
938 // generated resource.
939 // At most one of Data or Clone must be specified. If neither are
940 // provided, the generated
941 // resource will be created with default data only.
942 "data"?: null | bool | number | string | [...] | {
943 ...
944 }
945
946 // Kind specifies resource kind.
947 "kind"?: string
948
949 // List specifies a JMESPath expression that results in one or
950 // more elements
951 // to which the validation logic is applied.
952 "list"?: string
953
954 // Name specifies the resource name.
955 "name"?: string
956
957 // Namespace specifies resource namespace.
958 "namespace"?: string
959
960 // AnyAllConditions are used to determine if a policy rule should
961 // be applied by evaluating a
962 // set of conditions. The declaration can contain nested `any` or
963 // `all` statements.
964 // See: https://kyverno.io/docs/writing-policies/preconditions/
965 "preconditions"?: {
966 // AllConditions enable variable-based conditional rule execution.
967 // This is useful for
968 // finer control of when an rule is applied. A condition can
969 // reference object data
970 // using JMESPath notation.
971 // Here, all of the conditions need to pass
972 "all"?: [...{
973 // Key is the context entry (using JMESPath) for conditional rule
974 // evaluation.
975 "key"?: null | bool | number | string | [...] | {
976 ...
977 }
978
979 // Message is an optional display message
980 "message"?: string
981
982 // Operator is the conditional operation to perform. Valid
983 // operators are:
984 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
985 // GreaterThanOrEquals,
986 // GreaterThan, LessThanOrEquals, LessThan,
987 // DurationGreaterThanOrEquals, DurationGreaterThan,
988 // DurationLessThanOrEquals, DurationLessThan
989 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
990
991 // Value is the conditional value, or set of values. The values
992 // can be fixed set
993 // or can be variables declared using JMESPath.
994 "value"?: null | bool | number | string | [...] | {
995 ...
996 }
997 }]
998
999 // AnyConditions enable variable-based conditional rule execution.
1000 // This is useful for
1001 // finer control of when an rule is applied. A condition can
1002 // reference object data
1003 // using JMESPath notation.
1004 // Here, at least one of the conditions need to pass
1005 "any"?: [...{
1006 // Key is the context entry (using JMESPath) for conditional rule
1007 // evaluation.
1008 "key"?: null | bool | number | string | [...] | {
1009 ...
1010 }
1011
1012 // Message is an optional display message
1013 "message"?: string
1014
1015 // Operator is the conditional operation to perform. Valid
1016 // operators are:
1017 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1018 // GreaterThanOrEquals,
1019 // GreaterThan, LessThanOrEquals, LessThan,
1020 // DurationGreaterThanOrEquals, DurationGreaterThan,
1021 // DurationLessThanOrEquals, DurationLessThan
1022 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1023
1024 // Value is the conditional value, or set of values. The values
1025 // can be fixed set
1026 // or can be variables declared using JMESPath.
1027 "value"?: null | bool | number | string | [...] | {
1028 ...
1029 }
1030 }]
1031 ...
1032 }
1033
1034 // UID specifies the resource uid.
1035 "uid"?: string
1036 }]
1037
1038 // GenerateExisting controls whether to trigger the rule in
1039 // existing resources
1040 // If is set to "true" the rule will be triggered and applied to
1041 // existing matched resources.
1042 "generateExisting"?: bool
1043
1044 // Kind specifies resource kind.
1045 "kind"?: string
1046
1047 // Name specifies the resource name.
1048 "name"?: string
1049
1050 // Namespace specifies resource namespace.
1051 "namespace"?: string
1052
1053 // OrphanDownstreamOnPolicyDelete controls whether generated
1054 // resources should be deleted when the rule that generated
1055 // them is deleted with synchronization enabled. This option is
1056 // only applicable to generate rules of the data type.
1057 // See
1058 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
1059 // Defaults to "false" if not specified.
1060 "orphanDownstreamOnPolicyDelete"?: bool
1061
1062 // Synchronize controls if generated resources should be kept
1063 // in-sync with their source resource.
1064 // If Synchronize is set to "true" changes to generated resources
1065 // will be overwritten with resource
1066 // data from Data or the resource specified in the Clone
1067 // declaration.
1068 // Optional. Defaults to "false" if not specified.
1069 "synchronize"?: bool
1070
1071 // UID specifies the resource uid.
1072 "uid"?: string
1073 }
1074
1075 // ImageExtractors defines a mapping from kinds to
1076 // ImageExtractorConfigs.
1077 // This config is only valid for verifyImages rules.
1078 "imageExtractors"?: {
1079 [string]: [...{
1080 // JMESPath is an optional JMESPath expression to apply to the
1081 // image value.
1082 // This is useful when the extracted image begins with a prefix
1083 // like 'docker://'.
1084 // The 'trim_prefix' function may be used to trim the prefix:
1085 // trim_prefix(@, 'docker://').
1086 // Note - Image digest mutation may not be used when applying a
1087 // JMESPAth to an image.
1088 "jmesPath"?: string
1089
1090 // Key is an optional name of the field within 'path' that will be
1091 // used to uniquely identify an image.
1092 // Note - this field MUST be unique.
1093 "key"?: string
1094
1095 // Name is the entry the image will be available under
1096 // 'images.<name>' in the context.
1097 // If this field is not defined, image entries will appear under
1098 // 'images.custom'.
1099 "name"?: string
1100
1101 // Path is the path to the object containing the image field in a
1102 // custom resource.
1103 // It should be slash-separated. Each slash-separated key must be
1104 // a valid YAML key or a wildcard '*'.
1105 // Wildcard keys are expanded in case of arrays or objects.
1106 "path"!: string
1107
1108 // Value is an optional name of the field within 'path' that
1109 // points to the image URI.
1110 // This is useful when a custom 'key' is also defined.
1111 "value"?: string
1112 }]
1113 }
1114
1115 // MatchResources defines when this policy rule should be applied.
1116 // The match
1117 // criteria can include resource information (e.g. kind, name,
1118 // namespace, labels)
1119 // and admission review request information like the user name or
1120 // role.
1121 // At least one kind is required.
1122 "match"!: matchN(0, [null | bool | number | string | [...] | {
1123 "any"!: _
1124 "all"!: _
1125 }]) & {
1126 // All allows specifying resources which will be ANDed
1127 "all"?: [...{
1128 // ClusterRoles is the list of cluster-wide role names for the
1129 // user.
1130 "clusterRoles"?: [...string]
1131
1132 // ResourceDescription contains information about the resource
1133 // being created or modified.
1134 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1135 "name"!: _
1136 "names"!: _
1137 }]) & {
1138 // Annotations is a map of annotations (key-value pairs of type
1139 // string). Annotation keys
1140 // and values support the wildcard characters "*" (matches zero or
1141 // many characters) and
1142 // "?" (matches at least one character).
1143 "annotations"?: [string]: string
1144
1145 // Kinds is a list of resource kinds.
1146 "kinds"?: [...string]
1147
1148 // Name is the name of the resource. The name supports wildcard
1149 // characters
1150 // "*" (matches zero or many characters) and "?" (at least one
1151 // character).
1152 // NOTE: "Name" is being deprecated in favor of "Names".
1153 "name"?: string
1154
1155 // Names are the names of the resources. Each name supports
1156 // wildcard characters
1157 // "*" (matches zero or many characters) and "?" (at least one
1158 // character).
1159 "names"?: [...string]
1160
1161 // NamespaceSelector is a label selector for the resource
1162 // namespace. Label keys and values
1163 // in `matchLabels` support the wildcard characters `*` (matches
1164 // zero or many characters)
1165 // and `?` (matches one character).Wildcards allows writing label
1166 // selectors like
1167 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1168 // any key and value but
1169 // does not match an empty label set.
1170 "namespaceSelector"?: {
1171 // matchExpressions is a list of label selector requirements. The
1172 // requirements are ANDed.
1173 "matchExpressions"?: [...{
1174 // key is the label key that the selector applies to.
1175 "key"!: string
1176
1177 // operator represents a key's relationship to a set of values.
1178 // Valid operators are In, NotIn, Exists and DoesNotExist.
1179 "operator"!: string
1180
1181 // values is an array of string values. If the operator is In or
1182 // NotIn,
1183 // the values array must be non-empty. If the operator is Exists
1184 // or DoesNotExist,
1185 // the values array must be empty. This array is replaced during a
1186 // strategic
1187 // merge patch.
1188 "values"?: [...string]
1189 }]
1190
1191 // matchLabels is a map of {key,value} pairs. A single {key,value}
1192 // in the matchLabels
1193 // map is equivalent to an element of matchExpressions, whose key
1194 // field is "key", the
1195 // operator is "In", and the values array contains only "value".
1196 // The requirements are ANDed.
1197 "matchLabels"?: {
1198 [string]: string
1199 }
1200 }
1201
1202 // Namespaces is a list of namespaces names. Each name supports
1203 // wildcard characters
1204 // "*" (matches zero or many characters) and "?" (at least one
1205 // character).
1206 "namespaces"?: [...string]
1207
1208 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1209 // "DELETE"], which are used to match a specific action.
1210 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1211
1212 // Selector is a label selector. Label keys and values in
1213 // `matchLabels` support the wildcard
1214 // characters `*` (matches zero or many characters) and `?`
1215 // (matches one character).
1216 // Wildcards allows writing label selectors like
1217 // ["storage.k8s.io/*": "*"]. Note that
1218 // using ["*" : "*"] matches any key and value but does not match
1219 // an empty label set.
1220 "selector"?: {
1221 // matchExpressions is a list of label selector requirements. The
1222 // requirements are ANDed.
1223 "matchExpressions"?: [...{
1224 // key is the label key that the selector applies to.
1225 "key"!: string
1226
1227 // operator represents a key's relationship to a set of values.
1228 // Valid operators are In, NotIn, Exists and DoesNotExist.
1229 "operator"!: string
1230
1231 // values is an array of string values. If the operator is In or
1232 // NotIn,
1233 // the values array must be non-empty. If the operator is Exists
1234 // or DoesNotExist,
1235 // the values array must be empty. This array is replaced during a
1236 // strategic
1237 // merge patch.
1238 "values"?: [...string]
1239 }]
1240
1241 // matchLabels is a map of {key,value} pairs. A single {key,value}
1242 // in the matchLabels
1243 // map is equivalent to an element of matchExpressions, whose key
1244 // field is "key", the
1245 // operator is "In", and the values array contains only "value".
1246 // The requirements are ANDed.
1247 "matchLabels"?: {
1248 [string]: string
1249 }
1250 }
1251 }
1252
1253 // Roles is the list of namespaced role names for the user.
1254 "roles"?: [...string]
1255
1256 // Subjects is the list of subject names like users, user groups,
1257 // and service accounts.
1258 "subjects"?: [...{
1259 // APIGroup holds the API group of the referenced subject.
1260 // Defaults to "" for ServiceAccount subjects.
1261 // Defaults to "rbac.authorization.k8s.io" for User and Group
1262 // subjects.
1263 "apiGroup"?: string
1264
1265 // Kind of object being referenced. Values defined by this API
1266 // group are "User", "Group", and "ServiceAccount".
1267 // If the Authorizer does not recognized the kind value, the
1268 // Authorizer should report an error.
1269 "kind"!: string
1270
1271 // Name of the object being referenced.
1272 "name"!: string
1273
1274 // Namespace of the referenced object. If the object kind is
1275 // non-namespace, such as "User" or "Group", and this value is
1276 // not empty
1277 // the Authorizer should report an error.
1278 "namespace"?: string
1279 }]
1280 }]
1281
1282 // Any allows specifying resources which will be ORed
1283 "any"?: [...{
1284 // ClusterRoles is the list of cluster-wide role names for the
1285 // user.
1286 "clusterRoles"?: [...string]
1287
1288 // ResourceDescription contains information about the resource
1289 // being created or modified.
1290 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1291 "name"!: _
1292 "names"!: _
1293 }]) & {
1294 // Annotations is a map of annotations (key-value pairs of type
1295 // string). Annotation keys
1296 // and values support the wildcard characters "*" (matches zero or
1297 // many characters) and
1298 // "?" (matches at least one character).
1299 "annotations"?: [string]: string
1300
1301 // Kinds is a list of resource kinds.
1302 "kinds"?: [...string]
1303
1304 // Name is the name of the resource. The name supports wildcard
1305 // characters
1306 // "*" (matches zero or many characters) and "?" (at least one
1307 // character).
1308 // NOTE: "Name" is being deprecated in favor of "Names".
1309 "name"?: string
1310
1311 // Names are the names of the resources. Each name supports
1312 // wildcard characters
1313 // "*" (matches zero or many characters) and "?" (at least one
1314 // character).
1315 "names"?: [...string]
1316
1317 // NamespaceSelector is a label selector for the resource
1318 // namespace. Label keys and values
1319 // in `matchLabels` support the wildcard characters `*` (matches
1320 // zero or many characters)
1321 // and `?` (matches one character).Wildcards allows writing label
1322 // selectors like
1323 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1324 // any key and value but
1325 // does not match an empty label set.
1326 "namespaceSelector"?: {
1327 // matchExpressions is a list of label selector requirements. The
1328 // requirements are ANDed.
1329 "matchExpressions"?: [...{
1330 // key is the label key that the selector applies to.
1331 "key"!: string
1332
1333 // operator represents a key's relationship to a set of values.
1334 // Valid operators are In, NotIn, Exists and DoesNotExist.
1335 "operator"!: string
1336
1337 // values is an array of string values. If the operator is In or
1338 // NotIn,
1339 // the values array must be non-empty. If the operator is Exists
1340 // or DoesNotExist,
1341 // the values array must be empty. This array is replaced during a
1342 // strategic
1343 // merge patch.
1344 "values"?: [...string]
1345 }]
1346
1347 // matchLabels is a map of {key,value} pairs. A single {key,value}
1348 // in the matchLabels
1349 // map is equivalent to an element of matchExpressions, whose key
1350 // field is "key", the
1351 // operator is "In", and the values array contains only "value".
1352 // The requirements are ANDed.
1353 "matchLabels"?: {
1354 [string]: string
1355 }
1356 }
1357
1358 // Namespaces is a list of namespaces names. Each name supports
1359 // wildcard characters
1360 // "*" (matches zero or many characters) and "?" (at least one
1361 // character).
1362 "namespaces"?: [...string]
1363
1364 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1365 // "DELETE"], which are used to match a specific action.
1366 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1367
1368 // Selector is a label selector. Label keys and values in
1369 // `matchLabels` support the wildcard
1370 // characters `*` (matches zero or many characters) and `?`
1371 // (matches one character).
1372 // Wildcards allows writing label selectors like
1373 // ["storage.k8s.io/*": "*"]. Note that
1374 // using ["*" : "*"] matches any key and value but does not match
1375 // an empty label set.
1376 "selector"?: {
1377 // matchExpressions is a list of label selector requirements. The
1378 // requirements are ANDed.
1379 "matchExpressions"?: [...{
1380 // key is the label key that the selector applies to.
1381 "key"!: string
1382
1383 // operator represents a key's relationship to a set of values.
1384 // Valid operators are In, NotIn, Exists and DoesNotExist.
1385 "operator"!: string
1386
1387 // values is an array of string values. If the operator is In or
1388 // NotIn,
1389 // the values array must be non-empty. If the operator is Exists
1390 // or DoesNotExist,
1391 // the values array must be empty. This array is replaced during a
1392 // strategic
1393 // merge patch.
1394 "values"?: [...string]
1395 }]
1396
1397 // matchLabels is a map of {key,value} pairs. A single {key,value}
1398 // in the matchLabels
1399 // map is equivalent to an element of matchExpressions, whose key
1400 // field is "key", the
1401 // operator is "In", and the values array contains only "value".
1402 // The requirements are ANDed.
1403 "matchLabels"?: {
1404 [string]: string
1405 }
1406 }
1407 }
1408
1409 // Roles is the list of namespaced role names for the user.
1410 "roles"?: [...string]
1411
1412 // Subjects is the list of subject names like users, user groups,
1413 // and service accounts.
1414 "subjects"?: [...{
1415 // APIGroup holds the API group of the referenced subject.
1416 // Defaults to "" for ServiceAccount subjects.
1417 // Defaults to "rbac.authorization.k8s.io" for User and Group
1418 // subjects.
1419 "apiGroup"?: string
1420
1421 // Kind of object being referenced. Values defined by this API
1422 // group are "User", "Group", and "ServiceAccount".
1423 // If the Authorizer does not recognized the kind value, the
1424 // Authorizer should report an error.
1425 "kind"!: string
1426
1427 // Name of the object being referenced.
1428 "name"!: string
1429
1430 // Namespace of the referenced object. If the object kind is
1431 // non-namespace, such as "User" or "Group", and this value is
1432 // not empty
1433 // the Authorizer should report an error.
1434 "namespace"?: string
1435 }]
1436 }]
1437 }
1438
1439 // Mutation is used to modify matching resources.
1440 "mutate"?: {
1441 // ForEach applies mutation rules to a list of sub-elements by
1442 // creating a context for each entry in the list and looping over
1443 // it to apply the specified logic.
1444 "foreach"?: [...{
1445 // Context defines variables and data sources that can be used
1446 // during rule execution.
1447 "context"?: [...matchN(1, [{
1448 "configMap"!: _
1449 }, {
1450 "apiCall"!: _
1451 }, {
1452 "imageRegistry"!: _
1453 }, {
1454 "variable"!: _
1455 }, {
1456 "globalReference"!: _
1457 }]) & {
1458 // APICall is an HTTP request to the Kubernetes API server, or
1459 // other JSON web service.
1460 // The data returned is stored in the context with the name for
1461 // the context entry.
1462 "apiCall"?: {
1463 // The data object specifies the POST data sent to the server.
1464 // Only applicable when the method field is set to POST.
1465 "data"?: [...{
1466 // Key is a unique identifier for the data value
1467 "key"!: string
1468
1469 // Value is the data value
1470 "value"!: null | bool | number | string | [...] | {
1471 ...
1472 }
1473 }]
1474
1475 // Default is an optional arbitrary JSON object that the context
1476 // value is set to, if the apiCall returns error.
1477 "default"?: null | bool | number | string | [...] | {
1478 ...
1479 }
1480
1481 // JMESPath is an optional JSON Match Expression that can be used
1482 // to
1483 // transform the JSON response returned from the server. For
1484 // example
1485 // a JMESPath of "items | length(@)" applied to the API server
1486 // response
1487 // for the URLPath "/apis/apps/v1/deployments" will return the
1488 // total count
1489 // of deployments across all namespaces.
1490 "jmesPath"?: string
1491
1492 // Method is the HTTP request type (GET or POST). Defaults to GET.
1493 "method"?: "GET" | "POST"
1494
1495 // Service is an API call to a JSON web service.
1496 // This is used for non-Kubernetes API server calls.
1497 // It's mutually exclusive with the URLPath field.
1498 "service"?: {
1499 // CABundle is a PEM encoded CA bundle which will be used to
1500 // validate
1501 // the server certificate.
1502 "caBundle"?: string
1503
1504 // Headers is a list of optional HTTP headers to be included in
1505 // the request.
1506 "headers"?: [...{
1507 // Key is the header key
1508 "key"!: string
1509
1510 // Value is the header value
1511 "value"!: string
1512 }]
1513
1514 // URL is the JSON web service URL. A typical form is
1515 // `https://{service}.{namespace}:{port}/{path}`.
1516 "url"!: string
1517 }
1518
1519 // URLPath is the URL path to be used in the HTTP GET or POST
1520 // request to the
1521 // Kubernetes API server (e.g. "/api/v1/namespaces" or
1522 // "/apis/apps/v1/deployments").
1523 // The format required is the same format used by the `kubectl get
1524 // --raw` command.
1525 // See
1526 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1527 // for details.
1528 // It's mutually exclusive with the Service field.
1529 "urlPath"?: string
1530 }
1531
1532 // ConfigMap is the ConfigMap reference.
1533 "configMap"?: {
1534 // Name is the ConfigMap name.
1535 "name"!: string
1536
1537 // Namespace is the ConfigMap namespace.
1538 "namespace"?: string
1539 }
1540
1541 // GlobalContextEntryReference is a reference to a cached global
1542 // context entry.
1543 "globalReference"?: {
1544 // JMESPath is an optional JSON Match Expression that can be used
1545 // to
1546 // transform the JSON response returned from the server. For
1547 // example
1548 // a JMESPath of "items | length(@)" applied to the API server
1549 // response
1550 // for the URLPath "/apis/apps/v1/deployments" will return the
1551 // total count
1552 // of deployments across all namespaces.
1553 "jmesPath"?: string
1554
1555 // Name of the global context entry
1556 "name"!: string
1557 }
1558
1559 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1560 // fetch image
1561 // details.
1562 "imageRegistry"?: {
1563 // ImageRegistryCredentials provides credentials that will be used
1564 // for authentication with registry
1565 "imageRegistryCredentials"?: {
1566 // AllowInsecureRegistry allows insecure access to a registry.
1567 "allowInsecureRegistry"?: bool
1568
1569 // Providers specifies a list of OCI Registry names, whose
1570 // authentication providers are provided.
1571 // It can be of one of these values:
1572 // default,google,azure,amazon,github.
1573 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1574
1575 // Secrets specifies a list of secrets that are provided for
1576 // credentials.
1577 // Secrets must live in the Kyverno namespace.
1578 "secrets"?: [...string]
1579 }
1580
1581 // JMESPath is an optional JSON Match Expression that can be used
1582 // to
1583 // transform the ImageData struct returned as a result of
1584 // processing
1585 // the image reference.
1586 "jmesPath"?: string
1587
1588 // Reference is image reference to a container image in the
1589 // registry.
1590 // Example: ghcr.io/kyverno/kyverno:latest
1591 "reference"!: string
1592 }
1593
1594 // Name is the variable name.
1595 "name"!: string
1596
1597 // Variable defines an arbitrary JMESPath context variable that
1598 // can be defined inline.
1599 "variable"?: {
1600 // Default is an optional arbitrary JSON object that the variable
1601 // may take if the JMESPath
1602 // expression evaluates to nil
1603 "default"?: null | bool | number | string | [...] | {
1604 ...
1605 }
1606
1607 // JMESPath is an optional JMESPath Expression that can be used to
1608 // transform the variable.
1609 "jmesPath"?: string
1610
1611 // Value is any arbitrary JSON object representable in YAML or
1612 // JSON form.
1613 "value"?: null | bool | number | string | [...] | {
1614 ...
1615 }
1616 }
1617 }]
1618
1619 // Foreach declares a nested foreach iterator
1620 "foreach"?: null | bool | number | string | [...] | {
1621 ...
1622 }
1623
1624 // List specifies a JMESPath expression that results in one or
1625 // more elements
1626 // to which the validation logic is applied.
1627 "list"?: string
1628
1629 // Order defines the iteration order on the list.
1630 // Can be Ascending to iterate from first to last element or
1631 // Descending to iterate in from last to first element.
1632 "order"?: "Ascending" | "Descending"
1633
1634 // PatchStrategicMerge is a strategic merge patch used to modify
1635 // resources.
1636 // See
1637 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1638 // and
1639 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1640 "patchStrategicMerge"?: null | bool | number | string | [...] | {
1641 ...
1642 }
1643
1644 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1645 // used to modify resources.
1646 // See https://tools.ietf.org/html/rfc6902 and
1647 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1648 "patchesJson6902"?: string
1649
1650 // AnyAllConditions are used to determine if a policy rule should
1651 // be applied by evaluating a
1652 // set of conditions. The declaration can contain nested `any` or
1653 // `all` statements.
1654 // See: https://kyverno.io/docs/writing-policies/preconditions/
1655 "preconditions"?: {
1656 // AllConditions enable variable-based conditional rule execution.
1657 // This is useful for
1658 // finer control of when an rule is applied. A condition can
1659 // reference object data
1660 // using JMESPath notation.
1661 // Here, all of the conditions need to pass
1662 "all"?: [...{
1663 // Key is the context entry (using JMESPath) for conditional rule
1664 // evaluation.
1665 "key"?: null | bool | number | string | [...] | {
1666 ...
1667 }
1668
1669 // Message is an optional display message
1670 "message"?: string
1671
1672 // Operator is the conditional operation to perform. Valid
1673 // operators are:
1674 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1675 // GreaterThanOrEquals,
1676 // GreaterThan, LessThanOrEquals, LessThan,
1677 // DurationGreaterThanOrEquals, DurationGreaterThan,
1678 // DurationLessThanOrEquals, DurationLessThan
1679 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1680
1681 // Value is the conditional value, or set of values. The values
1682 // can be fixed set
1683 // or can be variables declared using JMESPath.
1684 "value"?: null | bool | number | string | [...] | {
1685 ...
1686 }
1687 }]
1688
1689 // AnyConditions enable variable-based conditional rule execution.
1690 // This is useful for
1691 // finer control of when an rule is applied. A condition can
1692 // reference object data
1693 // using JMESPath notation.
1694 // Here, at least one of the conditions need to pass
1695 "any"?: [...{
1696 // Key is the context entry (using JMESPath) for conditional rule
1697 // evaluation.
1698 "key"?: null | bool | number | string | [...] | {
1699 ...
1700 }
1701
1702 // Message is an optional display message
1703 "message"?: string
1704
1705 // Operator is the conditional operation to perform. Valid
1706 // operators are:
1707 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1708 // GreaterThanOrEquals,
1709 // GreaterThan, LessThanOrEquals, LessThan,
1710 // DurationGreaterThanOrEquals, DurationGreaterThan,
1711 // DurationLessThanOrEquals, DurationLessThan
1712 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1713
1714 // Value is the conditional value, or set of values. The values
1715 // can be fixed set
1716 // or can be variables declared using JMESPath.
1717 "value"?: null | bool | number | string | [...] | {
1718 ...
1719 }
1720 }]
1721 ...
1722 }
1723 }]
1724
1725 // MutateExistingOnPolicyUpdate controls if the mutateExisting
1726 // rule will be applied on policy events.
1727 "mutateExistingOnPolicyUpdate"?: bool
1728
1729 // PatchStrategicMerge is a strategic merge patch used to modify
1730 // resources.
1731 // See
1732 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1733 // and
1734 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1735 "patchStrategicMerge"?: null | bool | number | string | [...] | {
1736 ...
1737 }
1738
1739 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1740 // used to modify resources.
1741 // See https://tools.ietf.org/html/rfc6902 and
1742 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1743 "patchesJson6902"?: string
1744
1745 // Targets defines the target resources to be mutated.
1746 "targets"?: [...{
1747 // APIVersion specifies resource apiVersion.
1748 "apiVersion"?: string
1749
1750 // Context defines variables and data sources that can be used
1751 // during rule execution.
1752 "context"?: [...matchN(1, [{
1753 "configMap"!: _
1754 }, {
1755 "apiCall"!: _
1756 }, {
1757 "imageRegistry"!: _
1758 }, {
1759 "variable"!: _
1760 }, {
1761 "globalReference"!: _
1762 }]) & {
1763 // APICall is an HTTP request to the Kubernetes API server, or
1764 // other JSON web service.
1765 // The data returned is stored in the context with the name for
1766 // the context entry.
1767 "apiCall"?: {
1768 // The data object specifies the POST data sent to the server.
1769 // Only applicable when the method field is set to POST.
1770 "data"?: [...{
1771 // Key is a unique identifier for the data value
1772 "key"!: string
1773
1774 // Value is the data value
1775 "value"!: null | bool | number | string | [...] | {
1776 ...
1777 }
1778 }]
1779
1780 // Default is an optional arbitrary JSON object that the context
1781 // value is set to, if the apiCall returns error.
1782 "default"?: null | bool | number | string | [...] | {
1783 ...
1784 }
1785
1786 // JMESPath is an optional JSON Match Expression that can be used
1787 // to
1788 // transform the JSON response returned from the server. For
1789 // example
1790 // a JMESPath of "items | length(@)" applied to the API server
1791 // response
1792 // for the URLPath "/apis/apps/v1/deployments" will return the
1793 // total count
1794 // of deployments across all namespaces.
1795 "jmesPath"?: string
1796
1797 // Method is the HTTP request type (GET or POST). Defaults to GET.
1798 "method"?: "GET" | "POST"
1799
1800 // Service is an API call to a JSON web service.
1801 // This is used for non-Kubernetes API server calls.
1802 // It's mutually exclusive with the URLPath field.
1803 "service"?: {
1804 // CABundle is a PEM encoded CA bundle which will be used to
1805 // validate
1806 // the server certificate.
1807 "caBundle"?: string
1808
1809 // Headers is a list of optional HTTP headers to be included in
1810 // the request.
1811 "headers"?: [...{
1812 // Key is the header key
1813 "key"!: string
1814
1815 // Value is the header value
1816 "value"!: string
1817 }]
1818
1819 // URL is the JSON web service URL. A typical form is
1820 // `https://{service}.{namespace}:{port}/{path}`.
1821 "url"!: string
1822 }
1823
1824 // URLPath is the URL path to be used in the HTTP GET or POST
1825 // request to the
1826 // Kubernetes API server (e.g. "/api/v1/namespaces" or
1827 // "/apis/apps/v1/deployments").
1828 // The format required is the same format used by the `kubectl get
1829 // --raw` command.
1830 // See
1831 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1832 // for details.
1833 // It's mutually exclusive with the Service field.
1834 "urlPath"?: string
1835 }
1836
1837 // ConfigMap is the ConfigMap reference.
1838 "configMap"?: {
1839 // Name is the ConfigMap name.
1840 "name"!: string
1841
1842 // Namespace is the ConfigMap namespace.
1843 "namespace"?: string
1844 }
1845
1846 // GlobalContextEntryReference is a reference to a cached global
1847 // context entry.
1848 "globalReference"?: {
1849 // JMESPath is an optional JSON Match Expression that can be used
1850 // to
1851 // transform the JSON response returned from the server. For
1852 // example
1853 // a JMESPath of "items | length(@)" applied to the API server
1854 // response
1855 // for the URLPath "/apis/apps/v1/deployments" will return the
1856 // total count
1857 // of deployments across all namespaces.
1858 "jmesPath"?: string
1859
1860 // Name of the global context entry
1861 "name"!: string
1862 }
1863
1864 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1865 // fetch image
1866 // details.
1867 "imageRegistry"?: {
1868 // ImageRegistryCredentials provides credentials that will be used
1869 // for authentication with registry
1870 "imageRegistryCredentials"?: {
1871 // AllowInsecureRegistry allows insecure access to a registry.
1872 "allowInsecureRegistry"?: bool
1873
1874 // Providers specifies a list of OCI Registry names, whose
1875 // authentication providers are provided.
1876 // It can be of one of these values:
1877 // default,google,azure,amazon,github.
1878 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1879
1880 // Secrets specifies a list of secrets that are provided for
1881 // credentials.
1882 // Secrets must live in the Kyverno namespace.
1883 "secrets"?: [...string]
1884 }
1885
1886 // JMESPath is an optional JSON Match Expression that can be used
1887 // to
1888 // transform the ImageData struct returned as a result of
1889 // processing
1890 // the image reference.
1891 "jmesPath"?: string
1892
1893 // Reference is image reference to a container image in the
1894 // registry.
1895 // Example: ghcr.io/kyverno/kyverno:latest
1896 "reference"!: string
1897 }
1898
1899 // Name is the variable name.
1900 "name"!: string
1901
1902 // Variable defines an arbitrary JMESPath context variable that
1903 // can be defined inline.
1904 "variable"?: {
1905 // Default is an optional arbitrary JSON object that the variable
1906 // may take if the JMESPath
1907 // expression evaluates to nil
1908 "default"?: null | bool | number | string | [...] | {
1909 ...
1910 }
1911
1912 // JMESPath is an optional JMESPath Expression that can be used to
1913 // transform the variable.
1914 "jmesPath"?: string
1915
1916 // Value is any arbitrary JSON object representable in YAML or
1917 // JSON form.
1918 "value"?: null | bool | number | string | [...] | {
1919 ...
1920 }
1921 }
1922 }]
1923
1924 // Kind specifies resource kind.
1925 "kind"?: string
1926
1927 // Name specifies the resource name.
1928 "name"?: string
1929
1930 // Namespace specifies resource namespace.
1931 "namespace"?: string
1932
1933 // Preconditions are used to determine if a policy rule should be
1934 // applied by evaluating a
1935 // set of conditions. The declaration can contain nested `any` or
1936 // `all` statements. A direct list
1937 // of conditions (without `any` or `all` statements is supported
1938 // for backwards compatibility but
1939 // will be deprecated in the next major release.
1940 // See: https://kyverno.io/docs/writing-policies/preconditions/
1941 "preconditions"?: null | bool | number | string | [...] | {
1942 ...
1943 }
1944
1945 // Selector allows you to select target resources with their
1946 // labels.
1947 "selector"?: {
1948 // matchExpressions is a list of label selector requirements. The
1949 // requirements are ANDed.
1950 "matchExpressions"?: [...{
1951 // key is the label key that the selector applies to.
1952 "key"!: string
1953
1954 // operator represents a key's relationship to a set of values.
1955 // Valid operators are In, NotIn, Exists and DoesNotExist.
1956 "operator"!: string
1957
1958 // values is an array of string values. If the operator is In or
1959 // NotIn,
1960 // the values array must be non-empty. If the operator is Exists
1961 // or DoesNotExist,
1962 // the values array must be empty. This array is replaced during a
1963 // strategic
1964 // merge patch.
1965 "values"?: [...string]
1966 }]
1967
1968 // matchLabels is a map of {key,value} pairs. A single {key,value}
1969 // in the matchLabels
1970 // map is equivalent to an element of matchExpressions, whose key
1971 // field is "key", the
1972 // operator is "In", and the values array contains only "value".
1973 // The requirements are ANDed.
1974 "matchLabels"?: {
1975 [string]: string
1976 }
1977 }
1978
1979 // UID specifies the resource uid.
1980 "uid"?: string
1981 }]
1982 }
1983
1984 // Name is a label to identify the rule, It must be unique within
1985 // the policy.
1986 "name"!: strings.MaxRunes(
1987 63)
1988
1989 // Preconditions are used to determine if a policy rule should be
1990 // applied by evaluating a
1991 // set of conditions. The declaration can contain nested `any` or
1992 // `all` statements.
1993 // See: https://kyverno.io/docs/writing-policies/preconditions/
1994 "preconditions"?: {
1995 // AllConditions enable variable-based conditional rule execution.
1996 // This is useful for
1997 // finer control of when an rule is applied. A condition can
1998 // reference object data
1999 // using JMESPath notation.
2000 // Here, all of the conditions need to pass.
2001 "all"?: [...{
2002 // Key is the context entry (using JMESPath) for conditional rule
2003 // evaluation.
2004 "key"?: null | bool | number | string | [...] | {
2005 ...
2006 }
2007
2008 // Message is an optional display message
2009 "message"?: string
2010
2011 // Operator is the conditional operation to perform. Valid
2012 // operators are:
2013 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2014 // GreaterThanOrEquals,
2015 // GreaterThan, LessThanOrEquals, LessThan,
2016 // DurationGreaterThanOrEquals, DurationGreaterThan,
2017 // DurationLessThanOrEquals, DurationLessThan
2018 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2019
2020 // Value is the conditional value, or set of values. The values
2021 // can be fixed set
2022 // or can be variables declared using JMESPath.
2023 "value"?: null | bool | number | string | [...] | {
2024 ...
2025 }
2026 }]
2027
2028 // AnyConditions enable variable-based conditional rule execution.
2029 // This is useful for
2030 // finer control of when an rule is applied. A condition can
2031 // reference object data
2032 // using JMESPath notation.
2033 // Here, at least one of the conditions need to pass.
2034 "any"?: [...{
2035 // Key is the context entry (using JMESPath) for conditional rule
2036 // evaluation.
2037 "key"?: null | bool | number | string | [...] | {
2038 ...
2039 }
2040
2041 // Message is an optional display message
2042 "message"?: string
2043
2044 // Operator is the conditional operation to perform. Valid
2045 // operators are:
2046 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2047 // GreaterThanOrEquals,
2048 // GreaterThan, LessThanOrEquals, LessThan,
2049 // DurationGreaterThanOrEquals, DurationGreaterThan,
2050 // DurationLessThanOrEquals, DurationLessThan
2051 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2052
2053 // Value is the conditional value, or set of values. The values
2054 // can be fixed set
2055 // or can be variables declared using JMESPath.
2056 "value"?: null | bool | number | string | [...] | {
2057 ...
2058 }
2059 }]
2060 }
2061
2062 // SkipBackgroundRequests bypasses admission requests that are
2063 // sent by the background controller.
2064 // The default value is set to "true", it must be set to "false"
2065 // to apply
2066 // generate and mutateExisting rules to those requests.
2067 "skipBackgroundRequests"?: bool
2068
2069 // Validation is used to validate matching resources.
2070 "validate"?: {
2071 // AnyPattern specifies list of validation patterns. At least one
2072 // of the patterns
2073 // must be satisfied for the validation rule to succeed.
2074 "anyPattern"?: null | bool | number | string | [...] | {
2075 ...
2076 }
2077
2078 // Assert defines a kyverno-json assertion tree.
2079 "assert"?: {
2080 ...
2081 }
2082
2083 // CEL allows validation checks using the Common Expression
2084 // Language
2085 // (https://kubernetes.io/docs/reference/using-api/cel/).
2086 "cel"?: {
2087 // AuditAnnotations contains CEL expressions which are used to
2088 // produce audit annotations for the audit event of the API
2089 // request.
2090 "auditAnnotations"?: [...{
2091 // key specifies the audit annotation key. The audit annotation
2092 // keys of
2093 // a ValidatingAdmissionPolicy must be unique. The key must be a
2094 // qualified
2095 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2096 // length.
2097 //
2098 // The key is combined with the resource name of the
2099 // ValidatingAdmissionPolicy to construct an audit annotation key:
2100 // "{ValidatingAdmissionPolicy name}/{key}".
2101 //
2102 // If an admission webhook uses the same resource name as this
2103 // ValidatingAdmissionPolicy
2104 // and the same audit annotation key, the annotation key will be
2105 // identical.
2106 // In this case, the first annotation written with the key will be
2107 // included
2108 // in the audit event and all subsequent annotations with the same
2109 // key
2110 // will be discarded.
2111 //
2112 // Required.
2113 "key"!: string
2114
2115 // valueExpression represents the expression which is evaluated by
2116 // CEL to
2117 // produce an audit annotation value. The expression must evaluate
2118 // to either
2119 // a string or null value. If the expression evaluates to a
2120 // string, the
2121 // audit annotation is included with the string value. If the
2122 // expression
2123 // evaluates to null or empty string the audit annotation will be
2124 // omitted.
2125 // The valueExpression may be no longer than 5kb in length.
2126 // If the result of the valueExpression is more than 10kb in
2127 // length, it
2128 // will be truncated to 10kb.
2129 //
2130 // If multiple ValidatingAdmissionPolicyBinding resources match an
2131 // API request, then the valueExpression will be evaluated for
2132 // each binding. All unique values produced by the
2133 // valueExpressions
2134 // will be joined together in a comma-separated list.
2135 //
2136 // Required.
2137 "valueExpression"!: string
2138 }]
2139
2140 // Expressions is a list of CELExpression types.
2141 "expressions"?: [...{
2142 // Expression represents the expression which will be evaluated by
2143 // CEL.
2144 // ref: https://github.com/google/cel-spec
2145 // CEL expressions have access to the contents of the API
2146 // request/response, organized into CEL variables as well as some
2147 // other useful variables:
2148 //
2149 // - 'object' - The object from the incoming request. The value is
2150 // null for DELETE requests.
2151 // - 'oldObject' - The existing object. The value is null for
2152 // CREATE requests.
2153 // - 'request' - Attributes of the API
2154 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2155 // - 'params' - Parameter resource referred to by the policy
2156 // binding being evaluated. Only populated if the policy has a
2157 // ParamKind.
2158 // - 'namespaceObject' - The namespace object that the incoming
2159 // object belongs to. The value is null for cluster-scoped
2160 // resources.
2161 // - 'variables' - Map of composited variables, from its name to
2162 // its lazily evaluated value.
2163 // For example, a variable named 'foo' can be accessed as
2164 // 'variables.foo'.
2165 // - 'authorizer' - A CEL Authorizer. May be used to perform
2166 // authorization checks for the principal (user or service
2167 // account) of the request.
2168 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2169 // - 'authorizer.requestResource' - A CEL ResourceCheck
2170 // constructed from the 'authorizer' and configured with the
2171 // request resource.
2172 //
2173 // The `apiVersion`, `kind`, `metadata.name` and
2174 // `metadata.generateName` are always accessible from the root of
2175 // the
2176 // object. No other metadata properties are accessible.
2177 //
2178 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2179 // are accessible.
2180 // Accessible property names are escaped according to the
2181 // following rules when accessed in the expression:
2182 // - '__' escapes to '__underscores__'
2183 // - '.' escapes to '__dot__'
2184 // - '-' escapes to '__dash__'
2185 // - '/' escapes to '__slash__'
2186 // - Property names that exactly match a CEL RESERVED keyword
2187 // escape to '__{keyword}__'. The keywords are:
2188 // "true", "false", "null", "in", "as", "break", "const",
2189 // "continue", "else", "for", "function", "if",
2190 // "import", "let", "loop", "package", "namespace", "return".
2191 // Examples:
2192 // - Expression accessing a property named "namespace":
2193 // {"Expression": "object.__namespace__ > 0"}
2194 // - Expression accessing a property named "x-prop":
2195 // {"Expression": "object.x__dash__prop > 0"}
2196 // - Expression accessing a property named "redact__d":
2197 // {"Expression": "object.redact__underscores__d > 0"}
2198 //
2199 // Equality on arrays with list type of 'set' or 'map' ignores
2200 // element order, i.e. [1, 2] == [2, 1].
2201 // Concatenation on arrays with x-kubernetes-list-type use the
2202 // semantics of the list type:
2203 // - 'set': `X + Y` performs a union where the array positions of
2204 // all elements in `X` are preserved and
2205 // non-intersecting elements in `Y` are appended, retaining their
2206 // partial order.
2207 // - 'map': `X + Y` performs a merge where the array positions of
2208 // all keys in `X` are preserved but the values
2209 // are overwritten by values in `Y` when the key sets of `X` and
2210 // `Y` intersect. Elements in `Y` with
2211 // non-intersecting keys are appended, retaining their partial
2212 // order.
2213 // Required.
2214 "expression"!: string
2215
2216 // Message represents the message displayed when validation fails.
2217 // The message is required if the Expression contains
2218 // line breaks. The message must not contain line breaks.
2219 // If unset, the message is "failed rule: {Rule}".
2220 // e.g. "must be a URL with the host matching spec.host"
2221 // If the Expression contains line breaks. Message is required.
2222 // The message must not contain line breaks.
2223 // If unset, the message is "failed Expression: {Expression}".
2224 "message"?: string
2225
2226 // messageExpression declares a CEL expression that evaluates to
2227 // the validation failure message that is returned when this rule
2228 // fails.
2229 // Since messageExpression is used as a failure message, it must
2230 // evaluate to a string.
2231 // If both message and messageExpression are present on a
2232 // validation, then messageExpression will be used if validation
2233 // fails.
2234 // If messageExpression results in a runtime error, the runtime
2235 // error is logged, and the validation failure message is
2236 // produced
2237 // as if the messageExpression field were unset. If
2238 // messageExpression evaluates to an empty string, a string with
2239 // only spaces, or a string
2240 // that contains line breaks, then the validation failure message
2241 // will also be produced as if the messageExpression field were
2242 // unset, and
2243 // the fact that messageExpression produced an empty string/string
2244 // with only spaces/string with line breaks will be logged.
2245 // messageExpression has access to all the same variables as the
2246 // `expression` except for 'authorizer' and
2247 // 'authorizer.requestResource'.
2248 // Example:
2249 // "object.x must be less than max ("+string(params.max)+")"
2250 "messageExpression"?: string
2251
2252 // Reason represents a machine-readable description of why this
2253 // validation failed.
2254 // If this is the first validation in the list to fail, this
2255 // reason, as well as the
2256 // corresponding HTTP response code, are used in the
2257 // HTTP response to the client.
2258 // The currently supported reasons are: "Unauthorized",
2259 // "Forbidden", "Invalid", "RequestEntityTooLarge".
2260 // If not set, StatusReasonInvalid is used in the response to the
2261 // client.
2262 "reason"?: string
2263 }]
2264
2265 // ParamKind is a tuple of Group Kind and Version.
2266 "paramKind"?: {
2267 // APIVersion is the API group version the resources belong to.
2268 // In format of "group/version".
2269 // Required.
2270 "apiVersion"?: string
2271
2272 // Kind is the API kind the resources belong to.
2273 // Required.
2274 "kind"?: string
2275 }
2276
2277 // ParamRef references a parameter resource.
2278 "paramRef"?: {
2279 // name is the name of the resource being referenced.
2280 //
2281 // One of `name` or `selector` must be set, but `name` and
2282 // `selector` are
2283 // mutually exclusive properties. If one is set, the other must be
2284 // unset.
2285 //
2286 // A single parameter used for all admission requests can be
2287 // configured
2288 // by setting the `name` field, leaving `selector` blank, and
2289 // setting namespace
2290 // if `paramKind` is namespace-scoped.
2291 "name"?: string
2292
2293 // namespace is the namespace of the referenced resource. Allows
2294 // limiting
2295 // the search for params to a specific namespace. Applies to both
2296 // `name` and
2297 // `selector` fields.
2298 //
2299 // A per-namespace parameter may be used by specifying a
2300 // namespace-scoped
2301 // `paramKind` in the policy and leaving this field empty.
2302 //
2303 // - If `paramKind` is cluster-scoped, this field MUST be unset.
2304 // Setting this
2305 // field results in a configuration error.
2306 //
2307 // - If `paramKind` is namespace-scoped, the namespace of the
2308 // object being
2309 // evaluated for admission will be used when this field is left
2310 // unset. Take
2311 // care that if this is left empty the binding must not match any
2312 // cluster-scoped
2313 // resources, which will result in an error.
2314 "namespace"?: string
2315
2316 // `parameterNotFoundAction` controls the behavior of the binding
2317 // when the resource
2318 // exists, and name or selector is valid, but there are no
2319 // parameters
2320 // matched by the binding. If the value is set to `Allow`, then no
2321 // matched parameters will be treated as successful validation by
2322 // the binding.
2323 // If set to `Deny`, then no matched parameters will be subject to
2324 // the
2325 // `failurePolicy` of the policy.
2326 //
2327 // Allowed values are `Allow` or `Deny`
2328 //
2329 // Required
2330 "parameterNotFoundAction"?: string
2331
2332 // selector can be used to match multiple param objects based on
2333 // their labels.
2334 // Supply selector: {} to match all resources of the ParamKind.
2335 //
2336 // If multiple params are found, they are all evaluated with the
2337 // policy expressions
2338 // and the results are ANDed together.
2339 //
2340 // One of `name` or `selector` must be set, but `name` and
2341 // `selector` are
2342 // mutually exclusive properties. If one is set, the other must be
2343 // unset.
2344 "selector"?: {
2345 // matchExpressions is a list of label selector requirements. The
2346 // requirements are ANDed.
2347 "matchExpressions"?: [...{
2348 // key is the label key that the selector applies to.
2349 "key"!: string
2350
2351 // operator represents a key's relationship to a set of values.
2352 // Valid operators are In, NotIn, Exists and DoesNotExist.
2353 "operator"!: string
2354
2355 // values is an array of string values. If the operator is In or
2356 // NotIn,
2357 // the values array must be non-empty. If the operator is Exists
2358 // or DoesNotExist,
2359 // the values array must be empty. This array is replaced during a
2360 // strategic
2361 // merge patch.
2362 "values"?: [...string]
2363 }]
2364
2365 // matchLabels is a map of {key,value} pairs. A single {key,value}
2366 // in the matchLabels
2367 // map is equivalent to an element of matchExpressions, whose key
2368 // field is "key", the
2369 // operator is "In", and the values array contains only "value".
2370 // The requirements are ANDed.
2371 "matchLabels"?: {
2372 [string]: string
2373 }
2374 }
2375 }
2376
2377 // Variables contain definitions of variables that can be used in
2378 // composition of other expressions.
2379 // Each variable is defined as a named CEL expression.
2380 // The variables defined here will be available under `variables`
2381 // in other expressions of the policy.
2382 "variables"?: [...{
2383 // Expression is the expression that will be evaluated as the
2384 // value of the variable.
2385 // The CEL expression has access to the same identifiers as the
2386 // CEL expressions in Validation.
2387 "expression"!: string
2388
2389 // Name is the name of the variable. The name must be a valid CEL
2390 // identifier and unique among all variables.
2391 // The variable can be accessed in other expressions through
2392 // `variables`
2393 // For example, if name is "foo", the variable will be available
2394 // as `variables.foo`
2395 "name"!: string
2396 }]
2397 }
2398
2399 // Deny defines conditions used to pass or fail a validation rule.
2400 "deny"?: {
2401 // Multiple conditions can be declared under an `any` or `all`
2402 // statement.
2403 // See:
2404 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2405 "conditions"?: {
2406 // AllConditions enable variable-based conditional rule execution.
2407 // This is useful for
2408 // finer control of when an rule is applied. A condition can
2409 // reference object data
2410 // using JMESPath notation.
2411 // Here, all of the conditions need to pass.
2412 "all"?: [...{
2413 // Key is the context entry (using JMESPath) for conditional rule
2414 // evaluation.
2415 "key"?: null | bool | number | string | [...] | {
2416 ...
2417 }
2418
2419 // Message is an optional display message
2420 "message"?: string
2421
2422 // Operator is the conditional operation to perform. Valid
2423 // operators are:
2424 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2425 // GreaterThanOrEquals,
2426 // GreaterThan, LessThanOrEquals, LessThan,
2427 // DurationGreaterThanOrEquals, DurationGreaterThan,
2428 // DurationLessThanOrEquals, DurationLessThan
2429 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2430
2431 // Value is the conditional value, or set of values. The values
2432 // can be fixed set
2433 // or can be variables declared using JMESPath.
2434 "value"?: null | bool | number | string | [...] | {
2435 ...
2436 }
2437 }]
2438
2439 // AnyConditions enable variable-based conditional rule execution.
2440 // This is useful for
2441 // finer control of when an rule is applied. A condition can
2442 // reference object data
2443 // using JMESPath notation.
2444 // Here, at least one of the conditions need to pass.
2445 "any"?: [...{
2446 // Key is the context entry (using JMESPath) for conditional rule
2447 // evaluation.
2448 "key"?: null | bool | number | string | [...] | {
2449 ...
2450 }
2451
2452 // Message is an optional display message
2453 "message"?: string
2454
2455 // Operator is the conditional operation to perform. Valid
2456 // operators are:
2457 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2458 // GreaterThanOrEquals,
2459 // GreaterThan, LessThanOrEquals, LessThan,
2460 // DurationGreaterThanOrEquals, DurationGreaterThan,
2461 // DurationLessThanOrEquals, DurationLessThan
2462 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2463
2464 // Value is the conditional value, or set of values. The values
2465 // can be fixed set
2466 // or can be variables declared using JMESPath.
2467 "value"?: null | bool | number | string | [...] | {
2468 ...
2469 }
2470 }]
2471 }
2472 }
2473
2474 // FailureAction defines if a validation policy rule violation
2475 // should block
2476 // the admission review request (Enforce), or allow (Audit) the
2477 // admission review request
2478 // and report an error in a policy report. Optional.
2479 // Allowed values are Audit or Enforce.
2480 "failureAction"?: "Audit" | "Enforce"
2481
2482 // FailureActionOverrides is a Cluster Policy attribute that
2483 // specifies FailureAction
2484 // namespace-wise. It overrides FailureAction for the specified
2485 // namespaces.
2486 "failureActionOverrides"?: [...{
2487 // ValidationFailureAction defines the policy validation failure
2488 // action
2489 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
2490
2491 // A label selector is a label query over a set of resources. The
2492 // result of matchLabels and
2493 // matchExpressions are ANDed. An empty label selector matches all
2494 // objects. A null
2495 // label selector matches no objects.
2496 "namespaceSelector"?: {
2497 // matchExpressions is a list of label selector requirements. The
2498 // requirements are ANDed.
2499 "matchExpressions"?: [...{
2500 // key is the label key that the selector applies to.
2501 "key"!: string
2502
2503 // operator represents a key's relationship to a set of values.
2504 // Valid operators are In, NotIn, Exists and DoesNotExist.
2505 "operator"!: string
2506
2507 // values is an array of string values. If the operator is In or
2508 // NotIn,
2509 // the values array must be non-empty. If the operator is Exists
2510 // or DoesNotExist,
2511 // the values array must be empty. This array is replaced during a
2512 // strategic
2513 // merge patch.
2514 "values"?: [...string]
2515 }]
2516
2517 // matchLabels is a map of {key,value} pairs. A single {key,value}
2518 // in the matchLabels
2519 // map is equivalent to an element of matchExpressions, whose key
2520 // field is "key", the
2521 // operator is "In", and the values array contains only "value".
2522 // The requirements are ANDed.
2523 "matchLabels"?: {
2524 [string]: string
2525 }
2526 }
2527 "namespaces"?: [...string]
2528 }]
2529
2530 // ForEach applies validate rules to a list of sub-elements by
2531 // creating a context for each entry in the list and looping over
2532 // it to apply the specified logic.
2533 "foreach"?: [...{
2534 // AnyPattern specifies list of validation patterns. At least one
2535 // of the patterns
2536 // must be satisfied for the validation rule to succeed.
2537 "anyPattern"?: null | bool | number | string | [...] | {
2538 ...
2539 }
2540
2541 // Context defines variables and data sources that can be used
2542 // during rule execution.
2543 "context"?: [...matchN(1, [{
2544 "configMap"!: _
2545 }, {
2546 "apiCall"!: _
2547 }, {
2548 "imageRegistry"!: _
2549 }, {
2550 "variable"!: _
2551 }, {
2552 "globalReference"!: _
2553 }]) & {
2554 // APICall is an HTTP request to the Kubernetes API server, or
2555 // other JSON web service.
2556 // The data returned is stored in the context with the name for
2557 // the context entry.
2558 "apiCall"?: {
2559 // The data object specifies the POST data sent to the server.
2560 // Only applicable when the method field is set to POST.
2561 "data"?: [...{
2562 // Key is a unique identifier for the data value
2563 "key"!: string
2564
2565 // Value is the data value
2566 "value"!: null | bool | number | string | [...] | {
2567 ...
2568 }
2569 }]
2570
2571 // Default is an optional arbitrary JSON object that the context
2572 // value is set to, if the apiCall returns error.
2573 "default"?: null | bool | number | string | [...] | {
2574 ...
2575 }
2576
2577 // JMESPath is an optional JSON Match Expression that can be used
2578 // to
2579 // transform the JSON response returned from the server. For
2580 // example
2581 // a JMESPath of "items | length(@)" applied to the API server
2582 // response
2583 // for the URLPath "/apis/apps/v1/deployments" will return the
2584 // total count
2585 // of deployments across all namespaces.
2586 "jmesPath"?: string
2587
2588 // Method is the HTTP request type (GET or POST). Defaults to GET.
2589 "method"?: "GET" | "POST"
2590
2591 // Service is an API call to a JSON web service.
2592 // This is used for non-Kubernetes API server calls.
2593 // It's mutually exclusive with the URLPath field.
2594 "service"?: {
2595 // CABundle is a PEM encoded CA bundle which will be used to
2596 // validate
2597 // the server certificate.
2598 "caBundle"?: string
2599
2600 // Headers is a list of optional HTTP headers to be included in
2601 // the request.
2602 "headers"?: [...{
2603 // Key is the header key
2604 "key"!: string
2605
2606 // Value is the header value
2607 "value"!: string
2608 }]
2609
2610 // URL is the JSON web service URL. A typical form is
2611 // `https://{service}.{namespace}:{port}/{path}`.
2612 "url"!: string
2613 }
2614
2615 // URLPath is the URL path to be used in the HTTP GET or POST
2616 // request to the
2617 // Kubernetes API server (e.g. "/api/v1/namespaces" or
2618 // "/apis/apps/v1/deployments").
2619 // The format required is the same format used by the `kubectl get
2620 // --raw` command.
2621 // See
2622 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2623 // for details.
2624 // It's mutually exclusive with the Service field.
2625 "urlPath"?: string
2626 }
2627
2628 // ConfigMap is the ConfigMap reference.
2629 "configMap"?: {
2630 // Name is the ConfigMap name.
2631 "name"!: string
2632
2633 // Namespace is the ConfigMap namespace.
2634 "namespace"?: string
2635 }
2636
2637 // GlobalContextEntryReference is a reference to a cached global
2638 // context entry.
2639 "globalReference"?: {
2640 // JMESPath is an optional JSON Match Expression that can be used
2641 // to
2642 // transform the JSON response returned from the server. For
2643 // example
2644 // a JMESPath of "items | length(@)" applied to the API server
2645 // response
2646 // for the URLPath "/apis/apps/v1/deployments" will return the
2647 // total count
2648 // of deployments across all namespaces.
2649 "jmesPath"?: string
2650
2651 // Name of the global context entry
2652 "name"!: string
2653 }
2654
2655 // ImageRegistry defines requests to an OCI/Docker V2 registry to
2656 // fetch image
2657 // details.
2658 "imageRegistry"?: {
2659 // ImageRegistryCredentials provides credentials that will be used
2660 // for authentication with registry
2661 "imageRegistryCredentials"?: {
2662 // AllowInsecureRegistry allows insecure access to a registry.
2663 "allowInsecureRegistry"?: bool
2664
2665 // Providers specifies a list of OCI Registry names, whose
2666 // authentication providers are provided.
2667 // It can be of one of these values:
2668 // default,google,azure,amazon,github.
2669 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2670
2671 // Secrets specifies a list of secrets that are provided for
2672 // credentials.
2673 // Secrets must live in the Kyverno namespace.
2674 "secrets"?: [...string]
2675 }
2676
2677 // JMESPath is an optional JSON Match Expression that can be used
2678 // to
2679 // transform the ImageData struct returned as a result of
2680 // processing
2681 // the image reference.
2682 "jmesPath"?: string
2683
2684 // Reference is image reference to a container image in the
2685 // registry.
2686 // Example: ghcr.io/kyverno/kyverno:latest
2687 "reference"!: string
2688 }
2689
2690 // Name is the variable name.
2691 "name"!: string
2692
2693 // Variable defines an arbitrary JMESPath context variable that
2694 // can be defined inline.
2695 "variable"?: {
2696 // Default is an optional arbitrary JSON object that the variable
2697 // may take if the JMESPath
2698 // expression evaluates to nil
2699 "default"?: null | bool | number | string | [...] | {
2700 ...
2701 }
2702
2703 // JMESPath is an optional JMESPath Expression that can be used to
2704 // transform the variable.
2705 "jmesPath"?: string
2706
2707 // Value is any arbitrary JSON object representable in YAML or
2708 // JSON form.
2709 "value"?: null | bool | number | string | [...] | {
2710 ...
2711 }
2712 }
2713 }]
2714
2715 // Deny defines conditions used to pass or fail a validation rule.
2716 "deny"?: {
2717 // Multiple conditions can be declared under an `any` or `all`
2718 // statement. A direct list
2719 // of conditions (without `any` or `all` statements) is also
2720 // supported for backwards compatibility
2721 // but will be deprecated in the next major release.
2722 // See:
2723 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2724 "conditions"?: null | bool | number | string | [...] | {
2725 ...
2726 }
2727 }
2728
2729 // ElementScope specifies whether to use the current list element
2730 // as the scope for validation. Defaults to "true" if not
2731 // specified.
2732 // When set to "false", "request.object" is used as the validation
2733 // scope within the foreach
2734 // block to allow referencing other elements in the subtree.
2735 "elementScope"?: bool
2736
2737 // Foreach declares a nested foreach iterator
2738 "foreach"?: null | bool | number | string | [...] | {
2739 ...
2740 }
2741
2742 // List specifies a JMESPath expression that results in one or
2743 // more elements
2744 // to which the validation logic is applied.
2745 "list"?: string
2746
2747 // Pattern specifies an overlay-style pattern used to check
2748 // resources.
2749 "pattern"?: null | bool | number | string | [...] | {
2750 ...
2751 }
2752
2753 // AnyAllConditions are used to determine if a policy rule should
2754 // be applied by evaluating a
2755 // set of conditions. The declaration can contain nested `any` or
2756 // `all` statements.
2757 // See: https://kyverno.io/docs/writing-policies/preconditions/
2758 "preconditions"?: {
2759 // AllConditions enable variable-based conditional rule execution.
2760 // This is useful for
2761 // finer control of when an rule is applied. A condition can
2762 // reference object data
2763 // using JMESPath notation.
2764 // Here, all of the conditions need to pass
2765 "all"?: [...{
2766 // Key is the context entry (using JMESPath) for conditional rule
2767 // evaluation.
2768 "key"?: null | bool | number | string | [...] | {
2769 ...
2770 }
2771
2772 // Message is an optional display message
2773 "message"?: string
2774
2775 // Operator is the conditional operation to perform. Valid
2776 // operators are:
2777 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2778 // GreaterThanOrEquals,
2779 // GreaterThan, LessThanOrEquals, LessThan,
2780 // DurationGreaterThanOrEquals, DurationGreaterThan,
2781 // DurationLessThanOrEquals, DurationLessThan
2782 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2783
2784 // Value is the conditional value, or set of values. The values
2785 // can be fixed set
2786 // or can be variables declared using JMESPath.
2787 "value"?: null | bool | number | string | [...] | {
2788 ...
2789 }
2790 }]
2791
2792 // AnyConditions enable variable-based conditional rule execution.
2793 // This is useful for
2794 // finer control of when an rule is applied. A condition can
2795 // reference object data
2796 // using JMESPath notation.
2797 // Here, at least one of the conditions need to pass
2798 "any"?: [...{
2799 // Key is the context entry (using JMESPath) for conditional rule
2800 // evaluation.
2801 "key"?: null | bool | number | string | [...] | {
2802 ...
2803 }
2804
2805 // Message is an optional display message
2806 "message"?: string
2807
2808 // Operator is the conditional operation to perform. Valid
2809 // operators are:
2810 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2811 // GreaterThanOrEquals,
2812 // GreaterThan, LessThanOrEquals, LessThan,
2813 // DurationGreaterThanOrEquals, DurationGreaterThan,
2814 // DurationLessThanOrEquals, DurationLessThan
2815 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2816
2817 // Value is the conditional value, or set of values. The values
2818 // can be fixed set
2819 // or can be variables declared using JMESPath.
2820 "value"?: null | bool | number | string | [...] | {
2821 ...
2822 }
2823 }]
2824 ...
2825 }
2826 }]
2827
2828 // Manifest specifies conditions for manifest verification
2829 "manifests"?: {
2830 // AnnotationDomain is custom domain of annotation for message and
2831 // signature. Default is "cosign.sigstore.dev".
2832 "annotationDomain"?: string
2833
2834 // Attestors specified the required attestors (i.e. authorities)
2835 "attestors"?: [...{
2836 // Count specifies the required number of entries that must match.
2837 // If the count is null, all entries must match
2838 // (a logical AND). If the count is 1, at least one entry must
2839 // match (a logical OR). If the count contains a
2840 // value N, then N must be less than or equal to the size of
2841 // entries, and at least N entries must match.
2842 "count"?: int & >=1
2843
2844 // Entries contains the available attestors. An attestor can be a
2845 // static key,
2846 // attributes for keyless verification, or a nested attestor
2847 // declaration.
2848 "entries"?: [...{
2849 // Annotations are used for image verification.
2850 // Every specified key-value pair must exist and match in the
2851 // verified payload.
2852 // The payload may contain other key-value pairs.
2853 "annotations"?: [string]: string
2854
2855 // Attestor is a nested set of Attestor used to specify a more
2856 // complex set of match authorities.
2857 "attestor"?: null | bool | number | string | [...] | {
2858 ...
2859 }
2860
2861 // Certificates specifies one or more certificates.
2862 "certificates"?: {
2863 // Cert is an optional PEM-encoded public certificate.
2864 "cert"?: string
2865
2866 // CertChain is an optional PEM encoded set of certificates used
2867 // to verify.
2868 "certChain"?: string
2869
2870 // CTLog (certificate timestamp log) provides a configuration for
2871 // validation of Signed Certificate
2872 // Timestamps (SCTs). If the value is unset, the default behavior
2873 // by Cosign is used.
2874 "ctlog"?: {
2875 // IgnoreSCT defines whether to use the Signed Certificate
2876 // Timestamp (SCT) log to check for a certificate
2877 // timestamp. Default is false. Set to true if this was opted out
2878 // during signing.
2879 "ignoreSCT"?: bool
2880
2881 // PubKey, if set, is used to validate SCTs against a custom
2882 // source.
2883 "pubkey"?: string
2884
2885 // TSACertChain, if set, is the PEM-encoded certificate chain file
2886 // for the RFC3161 timestamp authority. Must
2887 // contain the root CA certificate. Optionally may contain
2888 // intermediate CA certificates, and
2889 // may contain the leaf TSA certificate if not present in the
2890 // timestamurce.
2891 "tsaCertChain"?: string
2892 }
2893
2894 // Rekor provides configuration for the Rekor transparency log
2895 // service. If an empty object
2896 // is provided the public instance of Rekor
2897 // (https://rekor.sigstore.dev) is used.
2898 "rekor"?: {
2899 // IgnoreTlog skips transparency log verification.
2900 "ignoreTlog"?: bool
2901
2902 // RekorPubKey is an optional PEM-encoded public key to use for a
2903 // custom Rekor.
2904 // If set, this will be used to validate transparency log
2905 // signatures from a custom Rekor.
2906 "pubkey"?: string
2907
2908 // URL is the address of the transparency log. Defaults to the
2909 // public Rekor log instance https://rekor.sigstore.dev.
2910 "url"?: string
2911 }
2912 }
2913
2914 // Keyless is a set of attribute used to verify a Sigstore keyless
2915 // attestor.
2916 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
2917 "keyless"?: {
2918 // AdditionalExtensions are certificate-extensions used for
2919 // keyless signing.
2920 "additionalExtensions"?: [string]: string
2921
2922 // CTLog (certificate timestamp log) provides a configuration for
2923 // validation of Signed Certificate
2924 // Timestamps (SCTs). If the value is unset, the default behavior
2925 // by Cosign is used.
2926 "ctlog"?: {
2927 // IgnoreSCT defines whether to use the Signed Certificate
2928 // Timestamp (SCT) log to check for a certificate
2929 // timestamp. Default is false. Set to true if this was opted out
2930 // during signing.
2931 "ignoreSCT"?: bool
2932
2933 // PubKey, if set, is used to validate SCTs against a custom
2934 // source.
2935 "pubkey"?: string
2936
2937 // TSACertChain, if set, is the PEM-encoded certificate chain file
2938 // for the RFC3161 timestamp authority. Must
2939 // contain the root CA certificate. Optionally may contain
2940 // intermediate CA certificates, and
2941 // may contain the leaf TSA certificate if not present in the
2942 // timestamurce.
2943 "tsaCertChain"?: string
2944 }
2945
2946 // Issuer is the certificate issuer used for keyless signing.
2947 "issuer"?: string
2948
2949 // IssuerRegExp is the regular expression to match certificate
2950 // issuer used for keyless signing.
2951 "issuerRegExp"?: string
2952
2953 // Rekor provides configuration for the Rekor transparency log
2954 // service. If an empty object
2955 // is provided the public instance of Rekor
2956 // (https://rekor.sigstore.dev) is used.
2957 "rekor"?: {
2958 // IgnoreTlog skips transparency log verification.
2959 "ignoreTlog"?: bool
2960
2961 // RekorPubKey is an optional PEM-encoded public key to use for a
2962 // custom Rekor.
2963 // If set, this will be used to validate transparency log
2964 // signatures from a custom Rekor.
2965 "pubkey"?: string
2966
2967 // URL is the address of the transparency log. Defaults to the
2968 // public Rekor log instance https://rekor.sigstore.dev.
2969 "url"?: string
2970 }
2971
2972 // Roots is an optional set of PEM encoded trusted root
2973 // certificates.
2974 // If not provided, the system roots are used.
2975 "roots"?: string
2976
2977 // Subject is the verified identity used for keyless signing, for
2978 // example the email address.
2979 "subject"?: string
2980
2981 // SubjectRegExp is the regular expression to match identity used
2982 // for keyless signing, for example the email address.
2983 "subjectRegExp"?: string
2984 }
2985
2986 // Keys specifies one or more public keys.
2987 "keys"?: {
2988 // CTLog (certificate timestamp log) provides a configuration for
2989 // validation of Signed Certificate
2990 // Timestamps (SCTs). If the value is unset, the default behavior
2991 // by Cosign is used.
2992 "ctlog"?: {
2993 // IgnoreSCT defines whether to use the Signed Certificate
2994 // Timestamp (SCT) log to check for a certificate
2995 // timestamp. Default is false. Set to true if this was opted out
2996 // during signing.
2997 "ignoreSCT"?: bool
2998
2999 // PubKey, if set, is used to validate SCTs against a custom
3000 // source.
3001 "pubkey"?: string
3002
3003 // TSACertChain, if set, is the PEM-encoded certificate chain file
3004 // for the RFC3161 timestamp authority. Must
3005 // contain the root CA certificate. Optionally may contain
3006 // intermediate CA certificates, and
3007 // may contain the leaf TSA certificate if not present in the
3008 // timestamurce.
3009 "tsaCertChain"?: string
3010 }
3011
3012 // KMS provides the URI to the public key stored in a Key
3013 // Management System. See:
3014 // https://github.com/sigstore/cosign/blob/main/KMS.md
3015 "kms"?: string
3016
3017 // Keys is a set of X.509 public keys used to verify image
3018 // signatures. The keys can be directly
3019 // specified or can be a variable reference to a key specified in
3020 // a ConfigMap (see
3021 // https://kyverno.io/docs/writing-policies/variables/), or
3022 // reference a standard Kubernetes Secret
3023 // elsewhere in the cluster by specifying it in the format
3024 // "k8s://<namespace>/<secret_name>".
3025 // The named Secret must specify a key `cosign.pub` containing the
3026 // public key used for
3027 // verification, (see
3028 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3029 // When multiple keys are specified each key is processed as a
3030 // separate staticKey entry
3031 // (.attestors[*].entries.keys) within the set of attestors and
3032 // the count is applied across the keys.
3033 "publicKeys"?: string
3034
3035 // Rekor provides configuration for the Rekor transparency log
3036 // service. If an empty object
3037 // is provided the public instance of Rekor
3038 // (https://rekor.sigstore.dev) is used.
3039 "rekor"?: {
3040 // IgnoreTlog skips transparency log verification.
3041 "ignoreTlog"?: bool
3042
3043 // RekorPubKey is an optional PEM-encoded public key to use for a
3044 // custom Rekor.
3045 // If set, this will be used to validate transparency log
3046 // signatures from a custom Rekor.
3047 "pubkey"?: string
3048
3049 // URL is the address of the transparency log. Defaults to the
3050 // public Rekor log instance https://rekor.sigstore.dev.
3051 "url"?: string
3052 }
3053
3054 // Reference to a Secret resource that contains a public key
3055 "secret"?: {
3056 // Name of the secret. The provided secret must contain a key
3057 // named cosign.pub.
3058 "name"!: string
3059
3060 // Namespace name where the Secret exists.
3061 "namespace"!: string
3062 }
3063
3064 // Deprecated. Use attestor.signatureAlgorithm instead.
3065 "signatureAlgorithm"?: string
3066 }
3067
3068 // Repository is an optional alternate OCI repository to use for
3069 // signatures and attestations that match this rule.
3070 // If specified Repository will override other OCI image
3071 // repository locations for this Attestor.
3072 "repository"?: string
3073
3074 // Specify signature algorithm for public keys. Supported values
3075 // are sha224, sha256, sha384 and sha512.
3076 "signatureAlgorithm"?: string
3077 }]
3078 }]
3079
3080 // DryRun configuration
3081 "dryRun"?: {
3082 "enable"?: bool
3083 "namespace"?: string
3084 }
3085
3086 // Fields which will be ignored while comparing manifests.
3087 "ignoreFields"?: [...{
3088 "fields"?: [...string]
3089 "objects"?: [...{
3090 "group"?: string
3091 "kind"?: string
3092 "name"?: string
3093 "namespace"?: string
3094 "version"?: string
3095 }]
3096 }]
3097
3098 // Repository is an optional alternate OCI repository to use for
3099 // resource bundle reference.
3100 // The repository can be overridden per Attestor or Attestation.
3101 "repository"?: string
3102 }
3103
3104 // Message specifies a custom message to be displayed on failure.
3105 "message"?: string
3106
3107 // Pattern specifies an overlay-style pattern used to check
3108 // resources.
3109 "pattern"?: null | bool | number | string | [...] | {
3110 ...
3111 }
3112
3113 // PodSecurity applies exemptions for Kubernetes Pod Security
3114 // admission
3115 // by specifying exclusions for Pod Security Standards controls.
3116 "podSecurity"?: {
3117 // Exclude specifies the Pod Security Standard controls to be
3118 // excluded.
3119 "exclude"?: [...{
3120 // ControlName specifies the name of the Pod Security Standard
3121 // control.
3122 // See:
3123 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
3124 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3125
3126 // Images selects matching containers and applies the container
3127 // level PSS.
3128 // Each image is the image name consisting of the registry
3129 // address, repository, image, and tag.
3130 // Empty list matches no containers, PSS checks are applied at the
3131 // pod level only.
3132 // Wildcards ('*' and '?') are allowed. See:
3133 // https://kubernetes.io/docs/concepts/containers/images.
3134 "images"?: [...string]
3135
3136 // RestrictedField selects the field for the given Pod Security
3137 // Standard control.
3138 // When not set, all restricted fields for the control are
3139 // selected.
3140 "restrictedField"?: string
3141
3142 // Values defines the allowed values that can be excluded.
3143 "values"?: [...string]
3144 }]
3145
3146 // Level defines the Pod Security Standard level to be applied to
3147 // workloads.
3148 // Allowed values are privileged, baseline, and restricted.
3149 "level"?: "privileged" | "baseline" | "restricted"
3150
3151 // Version defines the Pod Security Standard versions that
3152 // Kubernetes supports.
3153 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3154 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3155 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3156 }
3157 }
3158
3159 // VerifyImages is used to verify image signatures and mutate them
3160 // to add a digest
3161 "verifyImages"?: [...{
3162 // Attestations are optional checks for signed in-toto Statements
3163 // used to verify the image.
3164 // See https://github.com/in-toto/attestation. Kyverno fetches
3165 // signed attestations from the
3166 // OCI registry and decodes them into a list of Statement
3167 // declarations.
3168 "attestations"?: [...{
3169 // Attestors specify the required attestors (i.e. authorities).
3170 "attestors"?: [...{
3171 // Count specifies the required number of entries that must match.
3172 // If the count is null, all entries must match
3173 // (a logical AND). If the count is 1, at least one entry must
3174 // match (a logical OR). If the count contains a
3175 // value N, then N must be less than or equal to the size of
3176 // entries, and at least N entries must match.
3177 "count"?: int & >=1
3178
3179 // Entries contains the available attestors. An attestor can be a
3180 // static key,
3181 // attributes for keyless verification, or a nested attestor
3182 // declaration.
3183 "entries"?: [...{
3184 // Annotations are used for image verification.
3185 // Every specified key-value pair must exist and match in the
3186 // verified payload.
3187 // The payload may contain other key-value pairs.
3188 "annotations"?: [string]: string
3189
3190 // Attestor is a nested set of Attestor used to specify a more
3191 // complex set of match authorities.
3192 "attestor"?: null | bool | number | string | [...] | {
3193 ...
3194 }
3195
3196 // Certificates specifies one or more certificates.
3197 "certificates"?: {
3198 // Cert is an optional PEM-encoded public certificate.
3199 "cert"?: string
3200
3201 // CertChain is an optional PEM encoded set of certificates used
3202 // to verify.
3203 "certChain"?: string
3204
3205 // CTLog (certificate timestamp log) provides a configuration for
3206 // validation of Signed Certificate
3207 // Timestamps (SCTs). If the value is unset, the default behavior
3208 // by Cosign is used.
3209 "ctlog"?: {
3210 // IgnoreSCT defines whether to use the Signed Certificate
3211 // Timestamp (SCT) log to check for a certificate
3212 // timestamp. Default is false. Set to true if this was opted out
3213 // during signing.
3214 "ignoreSCT"?: bool
3215
3216 // PubKey, if set, is used to validate SCTs against a custom
3217 // source.
3218 "pubkey"?: string
3219
3220 // TSACertChain, if set, is the PEM-encoded certificate chain file
3221 // for the RFC3161 timestamp authority. Must
3222 // contain the root CA certificate. Optionally may contain
3223 // intermediate CA certificates, and
3224 // may contain the leaf TSA certificate if not present in the
3225 // timestamurce.
3226 "tsaCertChain"?: string
3227 }
3228
3229 // Rekor provides configuration for the Rekor transparency log
3230 // service. If an empty object
3231 // is provided the public instance of Rekor
3232 // (https://rekor.sigstore.dev) is used.
3233 "rekor"?: {
3234 // IgnoreTlog skips transparency log verification.
3235 "ignoreTlog"?: bool
3236
3237 // RekorPubKey is an optional PEM-encoded public key to use for a
3238 // custom Rekor.
3239 // If set, this will be used to validate transparency log
3240 // signatures from a custom Rekor.
3241 "pubkey"?: string
3242
3243 // URL is the address of the transparency log. Defaults to the
3244 // public Rekor log instance https://rekor.sigstore.dev.
3245 "url"?: string
3246 }
3247 }
3248
3249 // Keyless is a set of attribute used to verify a Sigstore keyless
3250 // attestor.
3251 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3252 "keyless"?: {
3253 // AdditionalExtensions are certificate-extensions used for
3254 // keyless signing.
3255 "additionalExtensions"?: [string]: string
3256
3257 // CTLog (certificate timestamp log) provides a configuration for
3258 // validation of Signed Certificate
3259 // Timestamps (SCTs). If the value is unset, the default behavior
3260 // by Cosign is used.
3261 "ctlog"?: {
3262 // IgnoreSCT defines whether to use the Signed Certificate
3263 // Timestamp (SCT) log to check for a certificate
3264 // timestamp. Default is false. Set to true if this was opted out
3265 // during signing.
3266 "ignoreSCT"?: bool
3267
3268 // PubKey, if set, is used to validate SCTs against a custom
3269 // source.
3270 "pubkey"?: string
3271
3272 // TSACertChain, if set, is the PEM-encoded certificate chain file
3273 // for the RFC3161 timestamp authority. Must
3274 // contain the root CA certificate. Optionally may contain
3275 // intermediate CA certificates, and
3276 // may contain the leaf TSA certificate if not present in the
3277 // timestamurce.
3278 "tsaCertChain"?: string
3279 }
3280
3281 // Issuer is the certificate issuer used for keyless signing.
3282 "issuer"?: string
3283
3284 // IssuerRegExp is the regular expression to match certificate
3285 // issuer used for keyless signing.
3286 "issuerRegExp"?: string
3287
3288 // Rekor provides configuration for the Rekor transparency log
3289 // service. If an empty object
3290 // is provided the public instance of Rekor
3291 // (https://rekor.sigstore.dev) is used.
3292 "rekor"?: {
3293 // IgnoreTlog skips transparency log verification.
3294 "ignoreTlog"?: bool
3295
3296 // RekorPubKey is an optional PEM-encoded public key to use for a
3297 // custom Rekor.
3298 // If set, this will be used to validate transparency log
3299 // signatures from a custom Rekor.
3300 "pubkey"?: string
3301
3302 // URL is the address of the transparency log. Defaults to the
3303 // public Rekor log instance https://rekor.sigstore.dev.
3304 "url"?: string
3305 }
3306
3307 // Roots is an optional set of PEM encoded trusted root
3308 // certificates.
3309 // If not provided, the system roots are used.
3310 "roots"?: string
3311
3312 // Subject is the verified identity used for keyless signing, for
3313 // example the email address.
3314 "subject"?: string
3315
3316 // SubjectRegExp is the regular expression to match identity used
3317 // for keyless signing, for example the email address.
3318 "subjectRegExp"?: string
3319 }
3320
3321 // Keys specifies one or more public keys.
3322 "keys"?: {
3323 // CTLog (certificate timestamp log) provides a configuration for
3324 // validation of Signed Certificate
3325 // Timestamps (SCTs). If the value is unset, the default behavior
3326 // by Cosign is used.
3327 "ctlog"?: {
3328 // IgnoreSCT defines whether to use the Signed Certificate
3329 // Timestamp (SCT) log to check for a certificate
3330 // timestamp. Default is false. Set to true if this was opted out
3331 // during signing.
3332 "ignoreSCT"?: bool
3333
3334 // PubKey, if set, is used to validate SCTs against a custom
3335 // source.
3336 "pubkey"?: string
3337
3338 // TSACertChain, if set, is the PEM-encoded certificate chain file
3339 // for the RFC3161 timestamp authority. Must
3340 // contain the root CA certificate. Optionally may contain
3341 // intermediate CA certificates, and
3342 // may contain the leaf TSA certificate if not present in the
3343 // timestamurce.
3344 "tsaCertChain"?: string
3345 }
3346
3347 // KMS provides the URI to the public key stored in a Key
3348 // Management System. See:
3349 // https://github.com/sigstore/cosign/blob/main/KMS.md
3350 "kms"?: string
3351
3352 // Keys is a set of X.509 public keys used to verify image
3353 // signatures. The keys can be directly
3354 // specified or can be a variable reference to a key specified in
3355 // a ConfigMap (see
3356 // https://kyverno.io/docs/writing-policies/variables/), or
3357 // reference a standard Kubernetes Secret
3358 // elsewhere in the cluster by specifying it in the format
3359 // "k8s://<namespace>/<secret_name>".
3360 // The named Secret must specify a key `cosign.pub` containing the
3361 // public key used for
3362 // verification, (see
3363 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3364 // When multiple keys are specified each key is processed as a
3365 // separate staticKey entry
3366 // (.attestors[*].entries.keys) within the set of attestors and
3367 // the count is applied across the keys.
3368 "publicKeys"?: string
3369
3370 // Rekor provides configuration for the Rekor transparency log
3371 // service. If an empty object
3372 // is provided the public instance of Rekor
3373 // (https://rekor.sigstore.dev) is used.
3374 "rekor"?: {
3375 // IgnoreTlog skips transparency log verification.
3376 "ignoreTlog"?: bool
3377
3378 // RekorPubKey is an optional PEM-encoded public key to use for a
3379 // custom Rekor.
3380 // If set, this will be used to validate transparency log
3381 // signatures from a custom Rekor.
3382 "pubkey"?: string
3383
3384 // URL is the address of the transparency log. Defaults to the
3385 // public Rekor log instance https://rekor.sigstore.dev.
3386 "url"?: string
3387 }
3388
3389 // Reference to a Secret resource that contains a public key
3390 "secret"?: {
3391 // Name of the secret. The provided secret must contain a key
3392 // named cosign.pub.
3393 "name"!: string
3394
3395 // Namespace name where the Secret exists.
3396 "namespace"!: string
3397 }
3398
3399 // Deprecated. Use attestor.signatureAlgorithm instead.
3400 "signatureAlgorithm"?: string
3401 }
3402
3403 // Repository is an optional alternate OCI repository to use for
3404 // signatures and attestations that match this rule.
3405 // If specified Repository will override other OCI image
3406 // repository locations for this Attestor.
3407 "repository"?: string
3408
3409 // Specify signature algorithm for public keys. Supported values
3410 // are sha224, sha256, sha384 and sha512.
3411 "signatureAlgorithm"?: string
3412 }]
3413 }]
3414
3415 // Conditions are used to verify attributes within a Predicate. If
3416 // no Conditions are specified
3417 // the attestation check is satisfied as long there are predicates
3418 // that match the predicate type.
3419 "conditions"?: [...{
3420 // AllConditions enable variable-based conditional rule execution.
3421 // This is useful for
3422 // finer control of when an rule is applied. A condition can
3423 // reference object data
3424 // using JMESPath notation.
3425 // Here, all of the conditions need to pass
3426 "all"?: [...{
3427 // Key is the context entry (using JMESPath) for conditional rule
3428 // evaluation.
3429 "key"?: null | bool | number | string | [...] | {
3430 ...
3431 }
3432
3433 // Message is an optional display message
3434 "message"?: string
3435
3436 // Operator is the conditional operation to perform. Valid
3437 // operators are:
3438 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3439 // GreaterThanOrEquals,
3440 // GreaterThan, LessThanOrEquals, LessThan,
3441 // DurationGreaterThanOrEquals, DurationGreaterThan,
3442 // DurationLessThanOrEquals, DurationLessThan
3443 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3444
3445 // Value is the conditional value, or set of values. The values
3446 // can be fixed set
3447 // or can be variables declared using JMESPath.
3448 "value"?: null | bool | number | string | [...] | {
3449 ...
3450 }
3451 }]
3452
3453 // AnyConditions enable variable-based conditional rule execution.
3454 // This is useful for
3455 // finer control of when an rule is applied. A condition can
3456 // reference object data
3457 // using JMESPath notation.
3458 // Here, at least one of the conditions need to pass
3459 "any"?: [...{
3460 // Key is the context entry (using JMESPath) for conditional rule
3461 // evaluation.
3462 "key"?: null | bool | number | string | [...] | {
3463 ...
3464 }
3465
3466 // Message is an optional display message
3467 "message"?: string
3468
3469 // Operator is the conditional operation to perform. Valid
3470 // operators are:
3471 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3472 // GreaterThanOrEquals,
3473 // GreaterThan, LessThanOrEquals, LessThan,
3474 // DurationGreaterThanOrEquals, DurationGreaterThan,
3475 // DurationLessThanOrEquals, DurationLessThan
3476 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3477
3478 // Value is the conditional value, or set of values. The values
3479 // can be fixed set
3480 // or can be variables declared using JMESPath.
3481 "value"?: null | bool | number | string | [...] | {
3482 ...
3483 }
3484 }]
3485 }]
3486
3487 // Name is the variable name.
3488 "name"?: string
3489
3490 // Deprecated in favour of 'Type', to be removed soon
3491 "predicateType"?: string
3492
3493 // Type defines the type of attestation contained within the
3494 // Statement.
3495 "type"?: string
3496 }]
3497
3498 // Attestors specified the required attestors (i.e. authorities)
3499 "attestors"?: [...{
3500 // Count specifies the required number of entries that must match.
3501 // If the count is null, all entries must match
3502 // (a logical AND). If the count is 1, at least one entry must
3503 // match (a logical OR). If the count contains a
3504 // value N, then N must be less than or equal to the size of
3505 // entries, and at least N entries must match.
3506 "count"?: int & >=1
3507
3508 // Entries contains the available attestors. An attestor can be a
3509 // static key,
3510 // attributes for keyless verification, or a nested attestor
3511 // declaration.
3512 "entries"?: [...{
3513 // Annotations are used for image verification.
3514 // Every specified key-value pair must exist and match in the
3515 // verified payload.
3516 // The payload may contain other key-value pairs.
3517 "annotations"?: [string]: string
3518
3519 // Attestor is a nested set of Attestor used to specify a more
3520 // complex set of match authorities.
3521 "attestor"?: null | bool | number | string | [...] | {
3522 ...
3523 }
3524
3525 // Certificates specifies one or more certificates.
3526 "certificates"?: {
3527 // Cert is an optional PEM-encoded public certificate.
3528 "cert"?: string
3529
3530 // CertChain is an optional PEM encoded set of certificates used
3531 // to verify.
3532 "certChain"?: string
3533
3534 // CTLog (certificate timestamp log) provides a configuration for
3535 // validation of Signed Certificate
3536 // Timestamps (SCTs). If the value is unset, the default behavior
3537 // by Cosign is used.
3538 "ctlog"?: {
3539 // IgnoreSCT defines whether to use the Signed Certificate
3540 // Timestamp (SCT) log to check for a certificate
3541 // timestamp. Default is false. Set to true if this was opted out
3542 // during signing.
3543 "ignoreSCT"?: bool
3544
3545 // PubKey, if set, is used to validate SCTs against a custom
3546 // source.
3547 "pubkey"?: string
3548
3549 // TSACertChain, if set, is the PEM-encoded certificate chain file
3550 // for the RFC3161 timestamp authority. Must
3551 // contain the root CA certificate. Optionally may contain
3552 // intermediate CA certificates, and
3553 // may contain the leaf TSA certificate if not present in the
3554 // timestamurce.
3555 "tsaCertChain"?: string
3556 }
3557
3558 // Rekor provides configuration for the Rekor transparency log
3559 // service. If an empty object
3560 // is provided the public instance of Rekor
3561 // (https://rekor.sigstore.dev) is used.
3562 "rekor"?: {
3563 // IgnoreTlog skips transparency log verification.
3564 "ignoreTlog"?: bool
3565
3566 // RekorPubKey is an optional PEM-encoded public key to use for a
3567 // custom Rekor.
3568 // If set, this will be used to validate transparency log
3569 // signatures from a custom Rekor.
3570 "pubkey"?: string
3571
3572 // URL is the address of the transparency log. Defaults to the
3573 // public Rekor log instance https://rekor.sigstore.dev.
3574 "url"?: string
3575 }
3576 }
3577
3578 // Keyless is a set of attribute used to verify a Sigstore keyless
3579 // attestor.
3580 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3581 "keyless"?: {
3582 // AdditionalExtensions are certificate-extensions used for
3583 // keyless signing.
3584 "additionalExtensions"?: [string]: string
3585
3586 // CTLog (certificate timestamp log) provides a configuration for
3587 // validation of Signed Certificate
3588 // Timestamps (SCTs). If the value is unset, the default behavior
3589 // by Cosign is used.
3590 "ctlog"?: {
3591 // IgnoreSCT defines whether to use the Signed Certificate
3592 // Timestamp (SCT) log to check for a certificate
3593 // timestamp. Default is false. Set to true if this was opted out
3594 // during signing.
3595 "ignoreSCT"?: bool
3596
3597 // PubKey, if set, is used to validate SCTs against a custom
3598 // source.
3599 "pubkey"?: string
3600
3601 // TSACertChain, if set, is the PEM-encoded certificate chain file
3602 // for the RFC3161 timestamp authority. Must
3603 // contain the root CA certificate. Optionally may contain
3604 // intermediate CA certificates, and
3605 // may contain the leaf TSA certificate if not present in the
3606 // timestamurce.
3607 "tsaCertChain"?: string
3608 }
3609
3610 // Issuer is the certificate issuer used for keyless signing.
3611 "issuer"?: string
3612
3613 // IssuerRegExp is the regular expression to match certificate
3614 // issuer used for keyless signing.
3615 "issuerRegExp"?: string
3616
3617 // Rekor provides configuration for the Rekor transparency log
3618 // service. If an empty object
3619 // is provided the public instance of Rekor
3620 // (https://rekor.sigstore.dev) is used.
3621 "rekor"?: {
3622 // IgnoreTlog skips transparency log verification.
3623 "ignoreTlog"?: bool
3624
3625 // RekorPubKey is an optional PEM-encoded public key to use for a
3626 // custom Rekor.
3627 // If set, this will be used to validate transparency log
3628 // signatures from a custom Rekor.
3629 "pubkey"?: string
3630
3631 // URL is the address of the transparency log. Defaults to the
3632 // public Rekor log instance https://rekor.sigstore.dev.
3633 "url"?: string
3634 }
3635
3636 // Roots is an optional set of PEM encoded trusted root
3637 // certificates.
3638 // If not provided, the system roots are used.
3639 "roots"?: string
3640
3641 // Subject is the verified identity used for keyless signing, for
3642 // example the email address.
3643 "subject"?: string
3644
3645 // SubjectRegExp is the regular expression to match identity used
3646 // for keyless signing, for example the email address.
3647 "subjectRegExp"?: string
3648 }
3649
3650 // Keys specifies one or more public keys.
3651 "keys"?: {
3652 // CTLog (certificate timestamp log) provides a configuration for
3653 // validation of Signed Certificate
3654 // Timestamps (SCTs). If the value is unset, the default behavior
3655 // by Cosign is used.
3656 "ctlog"?: {
3657 // IgnoreSCT defines whether to use the Signed Certificate
3658 // Timestamp (SCT) log to check for a certificate
3659 // timestamp. Default is false. Set to true if this was opted out
3660 // during signing.
3661 "ignoreSCT"?: bool
3662
3663 // PubKey, if set, is used to validate SCTs against a custom
3664 // source.
3665 "pubkey"?: string
3666
3667 // TSACertChain, if set, is the PEM-encoded certificate chain file
3668 // for the RFC3161 timestamp authority. Must
3669 // contain the root CA certificate. Optionally may contain
3670 // intermediate CA certificates, and
3671 // may contain the leaf TSA certificate if not present in the
3672 // timestamurce.
3673 "tsaCertChain"?: string
3674 }
3675
3676 // KMS provides the URI to the public key stored in a Key
3677 // Management System. See:
3678 // https://github.com/sigstore/cosign/blob/main/KMS.md
3679 "kms"?: string
3680
3681 // Keys is a set of X.509 public keys used to verify image
3682 // signatures. The keys can be directly
3683 // specified or can be a variable reference to a key specified in
3684 // a ConfigMap (see
3685 // https://kyverno.io/docs/writing-policies/variables/), or
3686 // reference a standard Kubernetes Secret
3687 // elsewhere in the cluster by specifying it in the format
3688 // "k8s://<namespace>/<secret_name>".
3689 // The named Secret must specify a key `cosign.pub` containing the
3690 // public key used for
3691 // verification, (see
3692 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3693 // When multiple keys are specified each key is processed as a
3694 // separate staticKey entry
3695 // (.attestors[*].entries.keys) within the set of attestors and
3696 // the count is applied across the keys.
3697 "publicKeys"?: string
3698
3699 // Rekor provides configuration for the Rekor transparency log
3700 // service. If an empty object
3701 // is provided the public instance of Rekor
3702 // (https://rekor.sigstore.dev) is used.
3703 "rekor"?: {
3704 // IgnoreTlog skips transparency log verification.
3705 "ignoreTlog"?: bool
3706
3707 // RekorPubKey is an optional PEM-encoded public key to use for a
3708 // custom Rekor.
3709 // If set, this will be used to validate transparency log
3710 // signatures from a custom Rekor.
3711 "pubkey"?: string
3712
3713 // URL is the address of the transparency log. Defaults to the
3714 // public Rekor log instance https://rekor.sigstore.dev.
3715 "url"?: string
3716 }
3717
3718 // Reference to a Secret resource that contains a public key
3719 "secret"?: {
3720 // Name of the secret. The provided secret must contain a key
3721 // named cosign.pub.
3722 "name"!: string
3723
3724 // Namespace name where the Secret exists.
3725 "namespace"!: string
3726 }
3727
3728 // Deprecated. Use attestor.signatureAlgorithm instead.
3729 "signatureAlgorithm"?: string
3730 }
3731
3732 // Repository is an optional alternate OCI repository to use for
3733 // signatures and attestations that match this rule.
3734 // If specified Repository will override other OCI image
3735 // repository locations for this Attestor.
3736 "repository"?: string
3737
3738 // Specify signature algorithm for public keys. Supported values
3739 // are sha224, sha256, sha384 and sha512.
3740 "signatureAlgorithm"?: string
3741 }]
3742 }]
3743
3744 // Allowed values are Audit or Enforce.
3745 "failureAction"?: "Audit" | "Enforce"
3746
3747 // ImageReferences is a list of matching image reference patterns.
3748 // At least one pattern in the
3749 // list must match the image for the rule to apply. Each image
3750 // reference consists of a registry
3751 // address (defaults to docker.io), repository, image, and tag
3752 // (defaults to latest).
3753 // Wildcards ('*' and '?') are allowed. See:
3754 // https://kubernetes.io/docs/concepts/containers/images.
3755 "imageReferences"?: [...string]
3756
3757 // ImageRegistryCredentials provides credentials that will be used
3758 // for authentication with registry
3759 "imageRegistryCredentials"?: {
3760 // AllowInsecureRegistry allows insecure access to a registry.
3761 "allowInsecureRegistry"?: bool
3762
3763 // Providers specifies a list of OCI Registry names, whose
3764 // authentication providers are provided.
3765 // It can be of one of these values:
3766 // default,google,azure,amazon,github.
3767 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3768
3769 // Secrets specifies a list of secrets that are provided for
3770 // credentials.
3771 // Secrets must live in the Kyverno namespace.
3772 "secrets"?: [...string]
3773 }
3774
3775 // MutateDigest enables replacement of image tags with digests.
3776 // Defaults to true.
3777 "mutateDigest"?: bool
3778
3779 // Repository is an optional alternate OCI repository to use for
3780 // image signatures and attestations that match this rule.
3781 // If specified Repository will override the default OCI image
3782 // repository configured for the installation.
3783 // The repository can also be overridden per Attestor or
3784 // Attestation.
3785 "repository"?: string
3786
3787 // Required validates that images are verified i.e. have matched
3788 // passed a signature or attestation check.
3789 "required"?: bool
3790
3791 // SkipImageReferences is a list of matching image reference
3792 // patterns that should be skipped.
3793 // At least one pattern in the list must match the image for the
3794 // rule to be skipped. Each image reference
3795 // consists of a registry address (defaults to docker.io),
3796 // repository, image, and tag (defaults to latest).
3797 // Wildcards ('*' and '?') are allowed. See:
3798 // https://kubernetes.io/docs/concepts/containers/images.
3799 "skipImageReferences"?: [...string]
3800
3801 // Type specifies the method of signature validation. The allowed
3802 // options
3803 // are Cosign and Notary. By default Cosign is used if a type is
3804 // not specified.
3805 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
3806
3807 // UseCache enables caching of image verify responses for this
3808 // rule
3809 "useCache"?: bool
3810
3811 // Validation checks conditions across multiple image
3812 // verification attestations or context entries
3813 "validate"?: {
3814 // Deny defines conditions used to pass or fail a validation rule.
3815 "deny"?: {
3816 // Multiple conditions can be declared under an `any` or `all`
3817 // statement. A direct list
3818 // of conditions (without `any` or `all` statements) is also
3819 // supported for backwards compatibility
3820 // but will be deprecated in the next major release.
3821 // See:
3822 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
3823 "conditions"?: null | bool | number | string | [...] | {
3824 ...
3825 }
3826 }
3827
3828 // Message specifies a custom message to be displayed on failure.
3829 "message"?: string
3830 }
3831
3832 // VerifyDigest validates that images have a digest.
3833 "verifyDigest"?: bool
3834 }]
3835 }]
3836
3837 // Deprecated.
3838 "schemaValidation"?: bool
3839
3840 // UseServerSideApply controls whether to use server-side apply
3841 // for generate rules
3842 // If is set to "true" create & update for generate rules will use
3843 // apply instead of create/update.
3844 // Defaults to "false" if not specified.
3845 "useServerSideApply"?: bool
3846
3847 // Deprecated, use validationFailureAction under the validate rule
3848 // instead.
3849 "validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
3850
3851 // Deprecated, use validationFailureActionOverrides under the
3852 // validate rule instead.
3853 "validationFailureActionOverrides"?: [...{
3854 // ValidationFailureAction defines the policy validation failure
3855 // action
3856 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
3857
3858 // A label selector is a label query over a set of resources. The
3859 // result of matchLabels and
3860 // matchExpressions are ANDed. An empty label selector matches all
3861 // objects. A null
3862 // label selector matches no objects.
3863 "namespaceSelector"?: {
3864 // matchExpressions is a list of label selector requirements. The
3865 // requirements are ANDed.
3866 "matchExpressions"?: [...{
3867 // key is the label key that the selector applies to.
3868 "key"!: string
3869
3870 // operator represents a key's relationship to a set of values.
3871 // Valid operators are In, NotIn, Exists and DoesNotExist.
3872 "operator"!: string
3873
3874 // values is an array of string values. If the operator is In or
3875 // NotIn,
3876 // the values array must be non-empty. If the operator is Exists
3877 // or DoesNotExist,
3878 // the values array must be empty. This array is replaced during a
3879 // strategic
3880 // merge patch.
3881 "values"?: [...string]
3882 }]
3883
3884 // matchLabels is a map of {key,value} pairs. A single {key,value}
3885 // in the matchLabels
3886 // map is equivalent to an element of matchExpressions, whose key
3887 // field is "key", the
3888 // operator is "In", and the values array contains only "value".
3889 // The requirements are ANDed.
3890 "matchLabels"?: {
3891 [string]: string
3892 }
3893 }
3894 "namespaces"?: [...string]
3895 }]
3896
3897 // WebhookConfiguration specifies the custom configuration for
3898 // Kubernetes admission webhookconfiguration.
3899 "webhookConfiguration"?: {
3900 // FailurePolicy defines how unexpected policy errors and webhook
3901 // response timeout errors are handled.
3902 // Rules within the same policy share the same failure behavior.
3903 // This field should not be accessed directly, instead
3904 // `GetFailurePolicy()` should be used.
3905 // Allowed values are Ignore or Fail. Defaults to Fail.
3906 "failurePolicy"?: "Ignore" | "Fail"
3907
3908 // MatchCondition configures admission webhook matchConditions.
3909 // Requires Kubernetes 1.27 or later.
3910 "matchConditions"?: [...{
3911 // Expression represents the expression which will be evaluated by
3912 // CEL. Must evaluate to bool.
3913 // CEL expressions have access to the contents of the
3914 // AdmissionRequest and Authorizer, organized into CEL variables:
3915 //
3916 // 'object' - The object from the incoming request. The value is
3917 // null for DELETE requests.
3918 // 'oldObject' - The existing object. The value is null for CREATE
3919 // requests.
3920 // 'request' - Attributes of the admission
3921 // request(/pkg/apis/admission/types.go#AdmissionRequest).
3922 // 'authorizer' - A CEL Authorizer. May be used to perform
3923 // authorization checks for the principal (user or service
3924 // account) of the request.
3925 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3926 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
3927 // from the 'authorizer' and configured with the
3928 // request resource.
3929 // Documentation on CEL:
3930 // https://kubernetes.io/docs/reference/using-api/cel/
3931 //
3932 // Required.
3933 "expression"!: string
3934
3935 // Name is an identifier for this match condition, used for
3936 // strategic merging of MatchConditions,
3937 // as well as providing an identifier for logging purposes. A good
3938 // name should be descriptive of
3939 // the associated expression.
3940 // Name must be a qualified name consisting of alphanumeric
3941 // characters, '-', '_' or '.', and
3942 // must start and end with an alphanumeric character (e.g.
3943 // 'MyName', or 'my.name', or
3944 // '123-abc', regex used for validation is
3945 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
3946 // optional DNS subdomain prefix and '/' (e.g.
3947 // 'example.com/MyName')
3948 //
3949 // Required.
3950 "name"!: string
3951 }]
3952
3953 // TimeoutSeconds specifies the maximum time in seconds allowed to
3954 // apply this policy.
3955 // After the configured time expires, the admission request may
3956 // fail, or may simply ignore the policy results,
3957 // based on the failure policy. The default timeout is 10s, the
3958 // value must be between 1 and 30 seconds.
3959 "timeoutSeconds"?: int32 & int
3960 }
3961
3962 // Deprecated, use webhookTimeoutSeconds under
3963 // webhookConfiguration instead.
3964 "webhookTimeoutSeconds"?: int32 & int
3965 }
3966
3967 // Status contains policy runtime data.
3968 "status"?: {
3969 // AutogenStatus contains autogen status information.
3970 "autogen"?: {
3971 // Rules is a list of Rule instances. It contains auto generated
3972 // rules added for pod controllers
3973 "rules"?: [...{
3974 // CELPreconditions are used to determine if a policy rule should
3975 // be applied by evaluating a
3976 // set of CEL conditions. It can only be used with the
3977 // validate.cel subrule
3978 "celPreconditions"?: [...{
3979 // Expression represents the expression which will be evaluated by
3980 // CEL. Must evaluate to bool.
3981 // CEL expressions have access to the contents of the
3982 // AdmissionRequest and Authorizer, organized into CEL variables:
3983 //
3984 // 'object' - The object from the incoming request. The value is
3985 // null for DELETE requests.
3986 // 'oldObject' - The existing object. The value is null for CREATE
3987 // requests.
3988 // 'request' - Attributes of the admission
3989 // request(/pkg/apis/admission/types.go#AdmissionRequest).
3990 // 'authorizer' - A CEL Authorizer. May be used to perform
3991 // authorization checks for the principal (user or service
3992 // account) of the request.
3993 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3994 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
3995 // from the 'authorizer' and configured with the
3996 // request resource.
3997 // Documentation on CEL:
3998 // https://kubernetes.io/docs/reference/using-api/cel/
3999 //
4000 // Required.
4001 "expression"!: string
4002
4003 // Name is an identifier for this match condition, used for
4004 // strategic merging of MatchConditions,
4005 // as well as providing an identifier for logging purposes. A good
4006 // name should be descriptive of
4007 // the associated expression.
4008 // Name must be a qualified name consisting of alphanumeric
4009 // characters, '-', '_' or '.', and
4010 // must start and end with an alphanumeric character (e.g.
4011 // 'MyName', or 'my.name', or
4012 // '123-abc', regex used for validation is
4013 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4014 // optional DNS subdomain prefix and '/' (e.g.
4015 // 'example.com/MyName')
4016 //
4017 // Required.
4018 "name"!: string
4019 }]
4020
4021 // Context defines variables and data sources that can be used
4022 // during rule execution.
4023 "context"?: [...matchN(1, [{
4024 "configMap"!: _
4025 }, {
4026 "apiCall"!: _
4027 }, {
4028 "imageRegistry"!: _
4029 }, {
4030 "variable"!: _
4031 }, {
4032 "globalReference"!: _
4033 }]) & {
4034 // APICall is an HTTP request to the Kubernetes API server, or
4035 // other JSON web service.
4036 // The data returned is stored in the context with the name for
4037 // the context entry.
4038 "apiCall"?: {
4039 // The data object specifies the POST data sent to the server.
4040 // Only applicable when the method field is set to POST.
4041 "data"?: [...{
4042 // Key is a unique identifier for the data value
4043 "key"!: string
4044
4045 // Value is the data value
4046 "value"!: null | bool | number | string | [...] | {
4047 ...
4048 }
4049 }]
4050
4051 // Default is an optional arbitrary JSON object that the context
4052 // value is set to, if the apiCall returns error.
4053 "default"?: null | bool | number | string | [...] | {
4054 ...
4055 }
4056
4057 // JMESPath is an optional JSON Match Expression that can be used
4058 // to
4059 // transform the JSON response returned from the server. For
4060 // example
4061 // a JMESPath of "items | length(@)" applied to the API server
4062 // response
4063 // for the URLPath "/apis/apps/v1/deployments" will return the
4064 // total count
4065 // of deployments across all namespaces.
4066 "jmesPath"?: string
4067
4068 // Method is the HTTP request type (GET or POST). Defaults to GET.
4069 "method"?: "GET" | "POST"
4070
4071 // Service is an API call to a JSON web service.
4072 // This is used for non-Kubernetes API server calls.
4073 // It's mutually exclusive with the URLPath field.
4074 "service"?: {
4075 // CABundle is a PEM encoded CA bundle which will be used to
4076 // validate
4077 // the server certificate.
4078 "caBundle"?: string
4079
4080 // Headers is a list of optional HTTP headers to be included in
4081 // the request.
4082 "headers"?: [...{
4083 // Key is the header key
4084 "key"!: string
4085
4086 // Value is the header value
4087 "value"!: string
4088 }]
4089
4090 // URL is the JSON web service URL. A typical form is
4091 // `https://{service}.{namespace}:{port}/{path}`.
4092 "url"!: string
4093 }
4094
4095 // URLPath is the URL path to be used in the HTTP GET or POST
4096 // request to the
4097 // Kubernetes API server (e.g. "/api/v1/namespaces" or
4098 // "/apis/apps/v1/deployments").
4099 // The format required is the same format used by the `kubectl get
4100 // --raw` command.
4101 // See
4102 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4103 // for details.
4104 // It's mutually exclusive with the Service field.
4105 "urlPath"?: string
4106 }
4107
4108 // ConfigMap is the ConfigMap reference.
4109 "configMap"?: {
4110 // Name is the ConfigMap name.
4111 "name"!: string
4112
4113 // Namespace is the ConfigMap namespace.
4114 "namespace"?: string
4115 }
4116
4117 // GlobalContextEntryReference is a reference to a cached global
4118 // context entry.
4119 "globalReference"?: {
4120 // JMESPath is an optional JSON Match Expression that can be used
4121 // to
4122 // transform the JSON response returned from the server. For
4123 // example
4124 // a JMESPath of "items | length(@)" applied to the API server
4125 // response
4126 // for the URLPath "/apis/apps/v1/deployments" will return the
4127 // total count
4128 // of deployments across all namespaces.
4129 "jmesPath"?: string
4130
4131 // Name of the global context entry
4132 "name"!: string
4133 }
4134
4135 // ImageRegistry defines requests to an OCI/Docker V2 registry to
4136 // fetch image
4137 // details.
4138 "imageRegistry"?: {
4139 // ImageRegistryCredentials provides credentials that will be used
4140 // for authentication with registry
4141 "imageRegistryCredentials"?: {
4142 // AllowInsecureRegistry allows insecure access to a registry.
4143 "allowInsecureRegistry"?: bool
4144
4145 // Providers specifies a list of OCI Registry names, whose
4146 // authentication providers are provided.
4147 // It can be of one of these values:
4148 // default,google,azure,amazon,github.
4149 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4150
4151 // Secrets specifies a list of secrets that are provided for
4152 // credentials.
4153 // Secrets must live in the Kyverno namespace.
4154 "secrets"?: [...string]
4155 }
4156
4157 // JMESPath is an optional JSON Match Expression that can be used
4158 // to
4159 // transform the ImageData struct returned as a result of
4160 // processing
4161 // the image reference.
4162 "jmesPath"?: string
4163
4164 // Reference is image reference to a container image in the
4165 // registry.
4166 // Example: ghcr.io/kyverno/kyverno:latest
4167 "reference"!: string
4168 }
4169
4170 // Name is the variable name.
4171 "name"!: string
4172
4173 // Variable defines an arbitrary JMESPath context variable that
4174 // can be defined inline.
4175 "variable"?: {
4176 // Default is an optional arbitrary JSON object that the variable
4177 // may take if the JMESPath
4178 // expression evaluates to nil
4179 "default"?: null | bool | number | string | [...] | {
4180 ...
4181 }
4182
4183 // JMESPath is an optional JMESPath Expression that can be used to
4184 // transform the variable.
4185 "jmesPath"?: string
4186
4187 // Value is any arbitrary JSON object representable in YAML or
4188 // JSON form.
4189 "value"?: null | bool | number | string | [...] | {
4190 ...
4191 }
4192 }
4193 }]
4194
4195 // ExcludeResources defines when this policy rule should not be
4196 // applied. The exclude
4197 // criteria can include resource information (e.g. kind, name,
4198 // namespace, labels)
4199 // and admission review request information like the name or role.
4200 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
4201 "any"!: _
4202 "all"!: _
4203 }]) & {
4204 // All allows specifying resources which will be ANDed
4205 "all"?: [...{
4206 // ClusterRoles is the list of cluster-wide role names for the
4207 // user.
4208 "clusterRoles"?: [...string]
4209
4210 // ResourceDescription contains information about the resource
4211 // being created or modified.
4212 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4213 "name"!: _
4214 "names"!: _
4215 }]) & {
4216 // Annotations is a map of annotations (key-value pairs of type
4217 // string). Annotation keys
4218 // and values support the wildcard characters "*" (matches zero or
4219 // many characters) and
4220 // "?" (matches at least one character).
4221 "annotations"?: [string]: string
4222
4223 // Kinds is a list of resource kinds.
4224 "kinds"?: [...string]
4225
4226 // Name is the name of the resource. The name supports wildcard
4227 // characters
4228 // "*" (matches zero or many characters) and "?" (at least one
4229 // character).
4230 // NOTE: "Name" is being deprecated in favor of "Names".
4231 "name"?: string
4232
4233 // Names are the names of the resources. Each name supports
4234 // wildcard characters
4235 // "*" (matches zero or many characters) and "?" (at least one
4236 // character).
4237 "names"?: [...string]
4238
4239 // NamespaceSelector is a label selector for the resource
4240 // namespace. Label keys and values
4241 // in `matchLabels` support the wildcard characters `*` (matches
4242 // zero or many characters)
4243 // and `?` (matches one character).Wildcards allows writing label
4244 // selectors like
4245 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4246 // any key and value but
4247 // does not match an empty label set.
4248 "namespaceSelector"?: {
4249 // matchExpressions is a list of label selector requirements. The
4250 // requirements are ANDed.
4251 "matchExpressions"?: [...{
4252 // key is the label key that the selector applies to.
4253 "key"!: string
4254
4255 // operator represents a key's relationship to a set of values.
4256 // Valid operators are In, NotIn, Exists and DoesNotExist.
4257 "operator"!: string
4258
4259 // values is an array of string values. If the operator is In or
4260 // NotIn,
4261 // the values array must be non-empty. If the operator is Exists
4262 // or DoesNotExist,
4263 // the values array must be empty. This array is replaced during a
4264 // strategic
4265 // merge patch.
4266 "values"?: [...string]
4267 }]
4268
4269 // matchLabels is a map of {key,value} pairs. A single {key,value}
4270 // in the matchLabels
4271 // map is equivalent to an element of matchExpressions, whose key
4272 // field is "key", the
4273 // operator is "In", and the values array contains only "value".
4274 // The requirements are ANDed.
4275 "matchLabels"?: {
4276 [string]: string
4277 }
4278 }
4279
4280 // Namespaces is a list of namespaces names. Each name supports
4281 // wildcard characters
4282 // "*" (matches zero or many characters) and "?" (at least one
4283 // character).
4284 "namespaces"?: [...string]
4285
4286 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4287 // "DELETE"], which are used to match a specific action.
4288 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4289
4290 // Selector is a label selector. Label keys and values in
4291 // `matchLabels` support the wildcard
4292 // characters `*` (matches zero or many characters) and `?`
4293 // (matches one character).
4294 // Wildcards allows writing label selectors like
4295 // ["storage.k8s.io/*": "*"]. Note that
4296 // using ["*" : "*"] matches any key and value but does not match
4297 // an empty label set.
4298 "selector"?: {
4299 // matchExpressions is a list of label selector requirements. The
4300 // requirements are ANDed.
4301 "matchExpressions"?: [...{
4302 // key is the label key that the selector applies to.
4303 "key"!: string
4304
4305 // operator represents a key's relationship to a set of values.
4306 // Valid operators are In, NotIn, Exists and DoesNotExist.
4307 "operator"!: string
4308
4309 // values is an array of string values. If the operator is In or
4310 // NotIn,
4311 // the values array must be non-empty. If the operator is Exists
4312 // or DoesNotExist,
4313 // the values array must be empty. This array is replaced during a
4314 // strategic
4315 // merge patch.
4316 "values"?: [...string]
4317 }]
4318
4319 // matchLabels is a map of {key,value} pairs. A single {key,value}
4320 // in the matchLabels
4321 // map is equivalent to an element of matchExpressions, whose key
4322 // field is "key", the
4323 // operator is "In", and the values array contains only "value".
4324 // The requirements are ANDed.
4325 "matchLabels"?: {
4326 [string]: string
4327 }
4328 }
4329 }
4330
4331 // Roles is the list of namespaced role names for the user.
4332 "roles"?: [...string]
4333
4334 // Subjects is the list of subject names like users, user groups,
4335 // and service accounts.
4336 "subjects"?: [...{
4337 // APIGroup holds the API group of the referenced subject.
4338 // Defaults to "" for ServiceAccount subjects.
4339 // Defaults to "rbac.authorization.k8s.io" for User and Group
4340 // subjects.
4341 "apiGroup"?: string
4342
4343 // Kind of object being referenced. Values defined by this API
4344 // group are "User", "Group", and "ServiceAccount".
4345 // If the Authorizer does not recognized the kind value, the
4346 // Authorizer should report an error.
4347 "kind"!: string
4348
4349 // Name of the object being referenced.
4350 "name"!: string
4351
4352 // Namespace of the referenced object. If the object kind is
4353 // non-namespace, such as "User" or "Group", and this value is
4354 // not empty
4355 // the Authorizer should report an error.
4356 "namespace"?: string
4357 }]
4358 }]
4359
4360 // Any allows specifying resources which will be ORed
4361 "any"?: [...{
4362 // ClusterRoles is the list of cluster-wide role names for the
4363 // user.
4364 "clusterRoles"?: [...string]
4365
4366 // ResourceDescription contains information about the resource
4367 // being created or modified.
4368 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4369 "name"!: _
4370 "names"!: _
4371 }]) & {
4372 // Annotations is a map of annotations (key-value pairs of type
4373 // string). Annotation keys
4374 // and values support the wildcard characters "*" (matches zero or
4375 // many characters) and
4376 // "?" (matches at least one character).
4377 "annotations"?: [string]: string
4378
4379 // Kinds is a list of resource kinds.
4380 "kinds"?: [...string]
4381
4382 // Name is the name of the resource. The name supports wildcard
4383 // characters
4384 // "*" (matches zero or many characters) and "?" (at least one
4385 // character).
4386 // NOTE: "Name" is being deprecated in favor of "Names".
4387 "name"?: string
4388
4389 // Names are the names of the resources. Each name supports
4390 // wildcard characters
4391 // "*" (matches zero or many characters) and "?" (at least one
4392 // character).
4393 "names"?: [...string]
4394
4395 // NamespaceSelector is a label selector for the resource
4396 // namespace. Label keys and values
4397 // in `matchLabels` support the wildcard characters `*` (matches
4398 // zero or many characters)
4399 // and `?` (matches one character).Wildcards allows writing label
4400 // selectors like
4401 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4402 // any key and value but
4403 // does not match an empty label set.
4404 "namespaceSelector"?: {
4405 // matchExpressions is a list of label selector requirements. The
4406 // requirements are ANDed.
4407 "matchExpressions"?: [...{
4408 // key is the label key that the selector applies to.
4409 "key"!: string
4410
4411 // operator represents a key's relationship to a set of values.
4412 // Valid operators are In, NotIn, Exists and DoesNotExist.
4413 "operator"!: string
4414
4415 // values is an array of string values. If the operator is In or
4416 // NotIn,
4417 // the values array must be non-empty. If the operator is Exists
4418 // or DoesNotExist,
4419 // the values array must be empty. This array is replaced during a
4420 // strategic
4421 // merge patch.
4422 "values"?: [...string]
4423 }]
4424
4425 // matchLabels is a map of {key,value} pairs. A single {key,value}
4426 // in the matchLabels
4427 // map is equivalent to an element of matchExpressions, whose key
4428 // field is "key", the
4429 // operator is "In", and the values array contains only "value".
4430 // The requirements are ANDed.
4431 "matchLabels"?: {
4432 [string]: string
4433 }
4434 }
4435
4436 // Namespaces is a list of namespaces names. Each name supports
4437 // wildcard characters
4438 // "*" (matches zero or many characters) and "?" (at least one
4439 // character).
4440 "namespaces"?: [...string]
4441
4442 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4443 // "DELETE"], which are used to match a specific action.
4444 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4445
4446 // Selector is a label selector. Label keys and values in
4447 // `matchLabels` support the wildcard
4448 // characters `*` (matches zero or many characters) and `?`
4449 // (matches one character).
4450 // Wildcards allows writing label selectors like
4451 // ["storage.k8s.io/*": "*"]. Note that
4452 // using ["*" : "*"] matches any key and value but does not match
4453 // an empty label set.
4454 "selector"?: {
4455 // matchExpressions is a list of label selector requirements. The
4456 // requirements are ANDed.
4457 "matchExpressions"?: [...{
4458 // key is the label key that the selector applies to.
4459 "key"!: string
4460
4461 // operator represents a key's relationship to a set of values.
4462 // Valid operators are In, NotIn, Exists and DoesNotExist.
4463 "operator"!: string
4464
4465 // values is an array of string values. If the operator is In or
4466 // NotIn,
4467 // the values array must be non-empty. If the operator is Exists
4468 // or DoesNotExist,
4469 // the values array must be empty. This array is replaced during a
4470 // strategic
4471 // merge patch.
4472 "values"?: [...string]
4473 }]
4474
4475 // matchLabels is a map of {key,value} pairs. A single {key,value}
4476 // in the matchLabels
4477 // map is equivalent to an element of matchExpressions, whose key
4478 // field is "key", the
4479 // operator is "In", and the values array contains only "value".
4480 // The requirements are ANDed.
4481 "matchLabels"?: {
4482 [string]: string
4483 }
4484 }
4485 }
4486
4487 // Roles is the list of namespaced role names for the user.
4488 "roles"?: [...string]
4489
4490 // Subjects is the list of subject names like users, user groups,
4491 // and service accounts.
4492 "subjects"?: [...{
4493 // APIGroup holds the API group of the referenced subject.
4494 // Defaults to "" for ServiceAccount subjects.
4495 // Defaults to "rbac.authorization.k8s.io" for User and Group
4496 // subjects.
4497 "apiGroup"?: string
4498
4499 // Kind of object being referenced. Values defined by this API
4500 // group are "User", "Group", and "ServiceAccount".
4501 // If the Authorizer does not recognized the kind value, the
4502 // Authorizer should report an error.
4503 "kind"!: string
4504
4505 // Name of the object being referenced.
4506 "name"!: string
4507
4508 // Namespace of the referenced object. If the object kind is
4509 // non-namespace, such as "User" or "Group", and this value is
4510 // not empty
4511 // the Authorizer should report an error.
4512 "namespace"?: string
4513 }]
4514 }]
4515
4516 // ClusterRoles is the list of cluster-wide role names for the
4517 // user.
4518 "clusterRoles"?: [...string]
4519
4520 // ResourceDescription contains information about the resource
4521 // being created or modified.
4522 // Requires at least one tag to be specified when under
4523 // MatchResources.
4524 // Specifying ResourceDescription directly under match is being
4525 // deprecated.
4526 // Please specify under "any" or "all" instead.
4527 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4528 "name"!: _
4529 "names"!: _
4530 }]) & {
4531 // Annotations is a map of annotations (key-value pairs of type
4532 // string). Annotation keys
4533 // and values support the wildcard characters "*" (matches zero or
4534 // many characters) and
4535 // "?" (matches at least one character).
4536 "annotations"?: [string]: string
4537
4538 // Kinds is a list of resource kinds.
4539 "kinds"?: [...string]
4540
4541 // Name is the name of the resource. The name supports wildcard
4542 // characters
4543 // "*" (matches zero or many characters) and "?" (at least one
4544 // character).
4545 // NOTE: "Name" is being deprecated in favor of "Names".
4546 "name"?: string
4547
4548 // Names are the names of the resources. Each name supports
4549 // wildcard characters
4550 // "*" (matches zero or many characters) and "?" (at least one
4551 // character).
4552 "names"?: [...string]
4553
4554 // NamespaceSelector is a label selector for the resource
4555 // namespace. Label keys and values
4556 // in `matchLabels` support the wildcard characters `*` (matches
4557 // zero or many characters)
4558 // and `?` (matches one character).Wildcards allows writing label
4559 // selectors like
4560 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4561 // any key and value but
4562 // does not match an empty label set.
4563 "namespaceSelector"?: {
4564 // matchExpressions is a list of label selector requirements. The
4565 // requirements are ANDed.
4566 "matchExpressions"?: [...{
4567 // key is the label key that the selector applies to.
4568 "key"!: string
4569
4570 // operator represents a key's relationship to a set of values.
4571 // Valid operators are In, NotIn, Exists and DoesNotExist.
4572 "operator"!: string
4573
4574 // values is an array of string values. If the operator is In or
4575 // NotIn,
4576 // the values array must be non-empty. If the operator is Exists
4577 // or DoesNotExist,
4578 // the values array must be empty. This array is replaced during a
4579 // strategic
4580 // merge patch.
4581 "values"?: [...string]
4582 }]
4583
4584 // matchLabels is a map of {key,value} pairs. A single {key,value}
4585 // in the matchLabels
4586 // map is equivalent to an element of matchExpressions, whose key
4587 // field is "key", the
4588 // operator is "In", and the values array contains only "value".
4589 // The requirements are ANDed.
4590 "matchLabels"?: {
4591 [string]: string
4592 }
4593 }
4594
4595 // Namespaces is a list of namespaces names. Each name supports
4596 // wildcard characters
4597 // "*" (matches zero or many characters) and "?" (at least one
4598 // character).
4599 "namespaces"?: [...string]
4600
4601 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4602 // "DELETE"], which are used to match a specific action.
4603 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4604
4605 // Selector is a label selector. Label keys and values in
4606 // `matchLabels` support the wildcard
4607 // characters `*` (matches zero or many characters) and `?`
4608 // (matches one character).
4609 // Wildcards allows writing label selectors like
4610 // ["storage.k8s.io/*": "*"]. Note that
4611 // using ["*" : "*"] matches any key and value but does not match
4612 // an empty label set.
4613 "selector"?: {
4614 // matchExpressions is a list of label selector requirements. The
4615 // requirements are ANDed.
4616 "matchExpressions"?: [...{
4617 // key is the label key that the selector applies to.
4618 "key"!: string
4619
4620 // operator represents a key's relationship to a set of values.
4621 // Valid operators are In, NotIn, Exists and DoesNotExist.
4622 "operator"!: string
4623
4624 // values is an array of string values. If the operator is In or
4625 // NotIn,
4626 // the values array must be non-empty. If the operator is Exists
4627 // or DoesNotExist,
4628 // the values array must be empty. This array is replaced during a
4629 // strategic
4630 // merge patch.
4631 "values"?: [...string]
4632 }]
4633
4634 // matchLabels is a map of {key,value} pairs. A single {key,value}
4635 // in the matchLabels
4636 // map is equivalent to an element of matchExpressions, whose key
4637 // field is "key", the
4638 // operator is "In", and the values array contains only "value".
4639 // The requirements are ANDed.
4640 "matchLabels"?: {
4641 [string]: string
4642 }
4643 }
4644 }
4645
4646 // Roles is the list of namespaced role names for the user.
4647 "roles"?: [...string]
4648
4649 // Subjects is the list of subject names like users, user groups,
4650 // and service accounts.
4651 "subjects"?: [...{
4652 // APIGroup holds the API group of the referenced subject.
4653 // Defaults to "" for ServiceAccount subjects.
4654 // Defaults to "rbac.authorization.k8s.io" for User and Group
4655 // subjects.
4656 "apiGroup"?: string
4657
4658 // Kind of object being referenced. Values defined by this API
4659 // group are "User", "Group", and "ServiceAccount".
4660 // If the Authorizer does not recognized the kind value, the
4661 // Authorizer should report an error.
4662 "kind"!: string
4663
4664 // Name of the object being referenced.
4665 "name"!: string
4666
4667 // Namespace of the referenced object. If the object kind is
4668 // non-namespace, such as "User" or "Group", and this value is
4669 // not empty
4670 // the Authorizer should report an error.
4671 "namespace"?: string
4672 }]
4673 }
4674
4675 // Generation is used to create new resources.
4676 "generate"?: {
4677 // APIVersion specifies resource apiVersion.
4678 "apiVersion"?: string
4679
4680 // Clone specifies the source resource used to populate each
4681 // generated resource.
4682 // At most one of Data or Clone can be specified. If neither are
4683 // provided, the generated
4684 // resource will be created with default data only.
4685 "clone"?: {
4686 // Name specifies name of the resource.
4687 "name"?: string
4688
4689 // Namespace specifies source resource namespace.
4690 "namespace"?: string
4691 }
4692
4693 // CloneList specifies the list of source resource used to
4694 // populate each generated resource.
4695 "cloneList"?: {
4696 // Kinds is a list of resource kinds.
4697 "kinds"?: [...string]
4698
4699 // Namespace specifies source resource namespace.
4700 "namespace"?: string
4701
4702 // Selector is a label selector. Label keys and values in
4703 // `matchLabels`.
4704 // wildcard characters are not supported.
4705 "selector"?: {
4706 // matchExpressions is a list of label selector requirements. The
4707 // requirements are ANDed.
4708 "matchExpressions"?: [...{
4709 // key is the label key that the selector applies to.
4710 "key"!: string
4711
4712 // operator represents a key's relationship to a set of values.
4713 // Valid operators are In, NotIn, Exists and DoesNotExist.
4714 "operator"!: string
4715
4716 // values is an array of string values. If the operator is In or
4717 // NotIn,
4718 // the values array must be non-empty. If the operator is Exists
4719 // or DoesNotExist,
4720 // the values array must be empty. This array is replaced during a
4721 // strategic
4722 // merge patch.
4723 "values"?: [...string]
4724 }]
4725
4726 // matchLabels is a map of {key,value} pairs. A single {key,value}
4727 // in the matchLabels
4728 // map is equivalent to an element of matchExpressions, whose key
4729 // field is "key", the
4730 // operator is "In", and the values array contains only "value".
4731 // The requirements are ANDed.
4732 "matchLabels"?: {
4733 [string]: string
4734 }
4735 }
4736 }
4737
4738 // Data provides the resource declaration used to populate each
4739 // generated resource.
4740 // At most one of Data or Clone must be specified. If neither are
4741 // provided, the generated
4742 // resource will be created with default data only.
4743 "data"?: null | bool | number | string | [...] | {
4744 ...
4745 }
4746
4747 // ForEach applies generate rules to a list of sub-elements by
4748 // creating a context for each entry in the list and looping over
4749 // it to apply the specified logic.
4750 "foreach"?: [...{
4751 // APIVersion specifies resource apiVersion.
4752 "apiVersion"?: string
4753
4754 // Clone specifies the source resource used to populate each
4755 // generated resource.
4756 // At most one of Data or Clone can be specified. If neither are
4757 // provided, the generated
4758 // resource will be created with default data only.
4759 "clone"?: {
4760 // Name specifies name of the resource.
4761 "name"?: string
4762
4763 // Namespace specifies source resource namespace.
4764 "namespace"?: string
4765 }
4766
4767 // CloneList specifies the list of source resource used to
4768 // populate each generated resource.
4769 "cloneList"?: {
4770 // Kinds is a list of resource kinds.
4771 "kinds"?: [...string]
4772
4773 // Namespace specifies source resource namespace.
4774 "namespace"?: string
4775
4776 // Selector is a label selector. Label keys and values in
4777 // `matchLabels`.
4778 // wildcard characters are not supported.
4779 "selector"?: {
4780 // matchExpressions is a list of label selector requirements. The
4781 // requirements are ANDed.
4782 "matchExpressions"?: [...{
4783 // key is the label key that the selector applies to.
4784 "key"!: string
4785
4786 // operator represents a key's relationship to a set of values.
4787 // Valid operators are In, NotIn, Exists and DoesNotExist.
4788 "operator"!: string
4789
4790 // values is an array of string values. If the operator is In or
4791 // NotIn,
4792 // the values array must be non-empty. If the operator is Exists
4793 // or DoesNotExist,
4794 // the values array must be empty. This array is replaced during a
4795 // strategic
4796 // merge patch.
4797 "values"?: [...string]
4798 }]
4799
4800 // matchLabels is a map of {key,value} pairs. A single {key,value}
4801 // in the matchLabels
4802 // map is equivalent to an element of matchExpressions, whose key
4803 // field is "key", the
4804 // operator is "In", and the values array contains only "value".
4805 // The requirements are ANDed.
4806 "matchLabels"?: {
4807 [string]: string
4808 }
4809 }
4810 }
4811
4812 // Context defines variables and data sources that can be used
4813 // during rule execution.
4814 "context"?: [...matchN(1, [{
4815 "configMap"!: _
4816 }, {
4817 "apiCall"!: _
4818 }, {
4819 "imageRegistry"!: _
4820 }, {
4821 "variable"!: _
4822 }, {
4823 "globalReference"!: _
4824 }]) & {
4825 // APICall is an HTTP request to the Kubernetes API server, or
4826 // other JSON web service.
4827 // The data returned is stored in the context with the name for
4828 // the context entry.
4829 "apiCall"?: {
4830 // The data object specifies the POST data sent to the server.
4831 // Only applicable when the method field is set to POST.
4832 "data"?: [...{
4833 // Key is a unique identifier for the data value
4834 "key"!: string
4835
4836 // Value is the data value
4837 "value"!: null | bool | number | string | [...] | {
4838 ...
4839 }
4840 }]
4841
4842 // Default is an optional arbitrary JSON object that the context
4843 // value is set to, if the apiCall returns error.
4844 "default"?: null | bool | number | string | [...] | {
4845 ...
4846 }
4847
4848 // JMESPath is an optional JSON Match Expression that can be used
4849 // to
4850 // transform the JSON response returned from the server. For
4851 // example
4852 // a JMESPath of "items | length(@)" applied to the API server
4853 // response
4854 // for the URLPath "/apis/apps/v1/deployments" will return the
4855 // total count
4856 // of deployments across all namespaces.
4857 "jmesPath"?: string
4858
4859 // Method is the HTTP request type (GET or POST). Defaults to GET.
4860 "method"?: "GET" | "POST"
4861
4862 // Service is an API call to a JSON web service.
4863 // This is used for non-Kubernetes API server calls.
4864 // It's mutually exclusive with the URLPath field.
4865 "service"?: {
4866 // CABundle is a PEM encoded CA bundle which will be used to
4867 // validate
4868 // the server certificate.
4869 "caBundle"?: string
4870
4871 // Headers is a list of optional HTTP headers to be included in
4872 // the request.
4873 "headers"?: [...{
4874 // Key is the header key
4875 "key"!: string
4876
4877 // Value is the header value
4878 "value"!: string
4879 }]
4880
4881 // URL is the JSON web service URL. A typical form is
4882 // `https://{service}.{namespace}:{port}/{path}`.
4883 "url"!: string
4884 }
4885
4886 // URLPath is the URL path to be used in the HTTP GET or POST
4887 // request to the
4888 // Kubernetes API server (e.g. "/api/v1/namespaces" or
4889 // "/apis/apps/v1/deployments").
4890 // The format required is the same format used by the `kubectl get
4891 // --raw` command.
4892 // See
4893 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4894 // for details.
4895 // It's mutually exclusive with the Service field.
4896 "urlPath"?: string
4897 }
4898
4899 // ConfigMap is the ConfigMap reference.
4900 "configMap"?: {
4901 // Name is the ConfigMap name.
4902 "name"!: string
4903
4904 // Namespace is the ConfigMap namespace.
4905 "namespace"?: string
4906 }
4907
4908 // GlobalContextEntryReference is a reference to a cached global
4909 // context entry.
4910 "globalReference"?: {
4911 // JMESPath is an optional JSON Match Expression that can be used
4912 // to
4913 // transform the JSON response returned from the server. For
4914 // example
4915 // a JMESPath of "items | length(@)" applied to the API server
4916 // response
4917 // for the URLPath "/apis/apps/v1/deployments" will return the
4918 // total count
4919 // of deployments across all namespaces.
4920 "jmesPath"?: string
4921
4922 // Name of the global context entry
4923 "name"!: string
4924 }
4925
4926 // ImageRegistry defines requests to an OCI/Docker V2 registry to
4927 // fetch image
4928 // details.
4929 "imageRegistry"?: {
4930 // ImageRegistryCredentials provides credentials that will be used
4931 // for authentication with registry
4932 "imageRegistryCredentials"?: {
4933 // AllowInsecureRegistry allows insecure access to a registry.
4934 "allowInsecureRegistry"?: bool
4935
4936 // Providers specifies a list of OCI Registry names, whose
4937 // authentication providers are provided.
4938 // It can be of one of these values:
4939 // default,google,azure,amazon,github.
4940 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4941
4942 // Secrets specifies a list of secrets that are provided for
4943 // credentials.
4944 // Secrets must live in the Kyverno namespace.
4945 "secrets"?: [...string]
4946 }
4947
4948 // JMESPath is an optional JSON Match Expression that can be used
4949 // to
4950 // transform the ImageData struct returned as a result of
4951 // processing
4952 // the image reference.
4953 "jmesPath"?: string
4954
4955 // Reference is image reference to a container image in the
4956 // registry.
4957 // Example: ghcr.io/kyverno/kyverno:latest
4958 "reference"!: string
4959 }
4960
4961 // Name is the variable name.
4962 "name"!: string
4963
4964 // Variable defines an arbitrary JMESPath context variable that
4965 // can be defined inline.
4966 "variable"?: {
4967 // Default is an optional arbitrary JSON object that the variable
4968 // may take if the JMESPath
4969 // expression evaluates to nil
4970 "default"?: null | bool | number | string | [...] | {
4971 ...
4972 }
4973
4974 // JMESPath is an optional JMESPath Expression that can be used to
4975 // transform the variable.
4976 "jmesPath"?: string
4977
4978 // Value is any arbitrary JSON object representable in YAML or
4979 // JSON form.
4980 "value"?: null | bool | number | string | [...] | {
4981 ...
4982 }
4983 }
4984 }]
4985
4986 // Data provides the resource declaration used to populate each
4987 // generated resource.
4988 // At most one of Data or Clone must be specified. If neither are
4989 // provided, the generated
4990 // resource will be created with default data only.
4991 "data"?: null | bool | number | string | [...] | {
4992 ...
4993 }
4994
4995 // Kind specifies resource kind.
4996 "kind"?: string
4997
4998 // List specifies a JMESPath expression that results in one or
4999 // more elements
5000 // to which the validation logic is applied.
5001 "list"?: string
5002
5003 // Name specifies the resource name.
5004 "name"?: string
5005
5006 // Namespace specifies resource namespace.
5007 "namespace"?: string
5008
5009 // AnyAllConditions are used to determine if a policy rule should
5010 // be applied by evaluating a
5011 // set of conditions. The declaration can contain nested `any` or
5012 // `all` statements.
5013 // See: https://kyverno.io/docs/writing-policies/preconditions/
5014 "preconditions"?: {
5015 // AllConditions enable variable-based conditional rule execution.
5016 // This is useful for
5017 // finer control of when an rule is applied. A condition can
5018 // reference object data
5019 // using JMESPath notation.
5020 // Here, all of the conditions need to pass
5021 "all"?: [...{
5022 // Key is the context entry (using JMESPath) for conditional rule
5023 // evaluation.
5024 "key"?: null | bool | number | string | [...] | {
5025 ...
5026 }
5027
5028 // Message is an optional display message
5029 "message"?: string
5030
5031 // Operator is the conditional operation to perform. Valid
5032 // operators are:
5033 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5034 // GreaterThanOrEquals,
5035 // GreaterThan, LessThanOrEquals, LessThan,
5036 // DurationGreaterThanOrEquals, DurationGreaterThan,
5037 // DurationLessThanOrEquals, DurationLessThan
5038 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5039
5040 // Value is the conditional value, or set of values. The values
5041 // can be fixed set
5042 // or can be variables declared using JMESPath.
5043 "value"?: null | bool | number | string | [...] | {
5044 ...
5045 }
5046 }]
5047
5048 // AnyConditions enable variable-based conditional rule execution.
5049 // This is useful for
5050 // finer control of when an rule is applied. A condition can
5051 // reference object data
5052 // using JMESPath notation.
5053 // Here, at least one of the conditions need to pass
5054 "any"?: [...{
5055 // Key is the context entry (using JMESPath) for conditional rule
5056 // evaluation.
5057 "key"?: null | bool | number | string | [...] | {
5058 ...
5059 }
5060
5061 // Message is an optional display message
5062 "message"?: string
5063
5064 // Operator is the conditional operation to perform. Valid
5065 // operators are:
5066 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5067 // GreaterThanOrEquals,
5068 // GreaterThan, LessThanOrEquals, LessThan,
5069 // DurationGreaterThanOrEquals, DurationGreaterThan,
5070 // DurationLessThanOrEquals, DurationLessThan
5071 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5072
5073 // Value is the conditional value, or set of values. The values
5074 // can be fixed set
5075 // or can be variables declared using JMESPath.
5076 "value"?: null | bool | number | string | [...] | {
5077 ...
5078 }
5079 }]
5080 ...
5081 }
5082
5083 // UID specifies the resource uid.
5084 "uid"?: string
5085 }]
5086
5087 // GenerateExisting controls whether to trigger the rule in
5088 // existing resources
5089 // If is set to "true" the rule will be triggered and applied to
5090 // existing matched resources.
5091 "generateExisting"?: bool
5092
5093 // Kind specifies resource kind.
5094 "kind"?: string
5095
5096 // Name specifies the resource name.
5097 "name"?: string
5098
5099 // Namespace specifies resource namespace.
5100 "namespace"?: string
5101
5102 // OrphanDownstreamOnPolicyDelete controls whether generated
5103 // resources should be deleted when the rule that generated
5104 // them is deleted with synchronization enabled. This option is
5105 // only applicable to generate rules of the data type.
5106 // See
5107 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
5108 // Defaults to "false" if not specified.
5109 "orphanDownstreamOnPolicyDelete"?: bool
5110
5111 // Synchronize controls if generated resources should be kept
5112 // in-sync with their source resource.
5113 // If Synchronize is set to "true" changes to generated resources
5114 // will be overwritten with resource
5115 // data from Data or the resource specified in the Clone
5116 // declaration.
5117 // Optional. Defaults to "false" if not specified.
5118 "synchronize"?: bool
5119
5120 // UID specifies the resource uid.
5121 "uid"?: string
5122 }
5123
5124 // ImageExtractors defines a mapping from kinds to
5125 // ImageExtractorConfigs.
5126 // This config is only valid for verifyImages rules.
5127 "imageExtractors"?: {
5128 [string]: [...{
5129 // JMESPath is an optional JMESPath expression to apply to the
5130 // image value.
5131 // This is useful when the extracted image begins with a prefix
5132 // like 'docker://'.
5133 // The 'trim_prefix' function may be used to trim the prefix:
5134 // trim_prefix(@, 'docker://').
5135 // Note - Image digest mutation may not be used when applying a
5136 // JMESPAth to an image.
5137 "jmesPath"?: string
5138
5139 // Key is an optional name of the field within 'path' that will be
5140 // used to uniquely identify an image.
5141 // Note - this field MUST be unique.
5142 "key"?: string
5143
5144 // Name is the entry the image will be available under
5145 // 'images.<name>' in the context.
5146 // If this field is not defined, image entries will appear under
5147 // 'images.custom'.
5148 "name"?: string
5149
5150 // Path is the path to the object containing the image field in a
5151 // custom resource.
5152 // It should be slash-separated. Each slash-separated key must be
5153 // a valid YAML key or a wildcard '*'.
5154 // Wildcard keys are expanded in case of arrays or objects.
5155 "path"!: string
5156
5157 // Value is an optional name of the field within 'path' that
5158 // points to the image URI.
5159 // This is useful when a custom 'key' is also defined.
5160 "value"?: string
5161 }]
5162 }
5163
5164 // MatchResources defines when this policy rule should be applied.
5165 // The match
5166 // criteria can include resource information (e.g. kind, name,
5167 // namespace, labels)
5168 // and admission review request information like the user name or
5169 // role.
5170 // At least one kind is required.
5171 "match"!: matchN(0, [null | bool | number | string | [...] | {
5172 "any"!: _
5173 "all"!: _
5174 }]) & {
5175 // All allows specifying resources which will be ANDed
5176 "all"?: [...{
5177 // ClusterRoles is the list of cluster-wide role names for the
5178 // user.
5179 "clusterRoles"?: [...string]
5180
5181 // ResourceDescription contains information about the resource
5182 // being created or modified.
5183 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5184 "name"!: _
5185 "names"!: _
5186 }]) & {
5187 // Annotations is a map of annotations (key-value pairs of type
5188 // string). Annotation keys
5189 // and values support the wildcard characters "*" (matches zero or
5190 // many characters) and
5191 // "?" (matches at least one character).
5192 "annotations"?: [string]: string
5193
5194 // Kinds is a list of resource kinds.
5195 "kinds"?: [...string]
5196
5197 // Name is the name of the resource. The name supports wildcard
5198 // characters
5199 // "*" (matches zero or many characters) and "?" (at least one
5200 // character).
5201 // NOTE: "Name" is being deprecated in favor of "Names".
5202 "name"?: string
5203
5204 // Names are the names of the resources. Each name supports
5205 // wildcard characters
5206 // "*" (matches zero or many characters) and "?" (at least one
5207 // character).
5208 "names"?: [...string]
5209
5210 // NamespaceSelector is a label selector for the resource
5211 // namespace. Label keys and values
5212 // in `matchLabels` support the wildcard characters `*` (matches
5213 // zero or many characters)
5214 // and `?` (matches one character).Wildcards allows writing label
5215 // selectors like
5216 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5217 // any key and value but
5218 // does not match an empty label set.
5219 "namespaceSelector"?: {
5220 // matchExpressions is a list of label selector requirements. The
5221 // requirements are ANDed.
5222 "matchExpressions"?: [...{
5223 // key is the label key that the selector applies to.
5224 "key"!: string
5225
5226 // operator represents a key's relationship to a set of values.
5227 // Valid operators are In, NotIn, Exists and DoesNotExist.
5228 "operator"!: string
5229
5230 // values is an array of string values. If the operator is In or
5231 // NotIn,
5232 // the values array must be non-empty. If the operator is Exists
5233 // or DoesNotExist,
5234 // the values array must be empty. This array is replaced during a
5235 // strategic
5236 // merge patch.
5237 "values"?: [...string]
5238 }]
5239
5240 // matchLabels is a map of {key,value} pairs. A single {key,value}
5241 // in the matchLabels
5242 // map is equivalent to an element of matchExpressions, whose key
5243 // field is "key", the
5244 // operator is "In", and the values array contains only "value".
5245 // The requirements are ANDed.
5246 "matchLabels"?: {
5247 [string]: string
5248 }
5249 }
5250
5251 // Namespaces is a list of namespaces names. Each name supports
5252 // wildcard characters
5253 // "*" (matches zero or many characters) and "?" (at least one
5254 // character).
5255 "namespaces"?: [...string]
5256
5257 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5258 // "DELETE"], which are used to match a specific action.
5259 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5260
5261 // Selector is a label selector. Label keys and values in
5262 // `matchLabels` support the wildcard
5263 // characters `*` (matches zero or many characters) and `?`
5264 // (matches one character).
5265 // Wildcards allows writing label selectors like
5266 // ["storage.k8s.io/*": "*"]. Note that
5267 // using ["*" : "*"] matches any key and value but does not match
5268 // an empty label set.
5269 "selector"?: {
5270 // matchExpressions is a list of label selector requirements. The
5271 // requirements are ANDed.
5272 "matchExpressions"?: [...{
5273 // key is the label key that the selector applies to.
5274 "key"!: string
5275
5276 // operator represents a key's relationship to a set of values.
5277 // Valid operators are In, NotIn, Exists and DoesNotExist.
5278 "operator"!: string
5279
5280 // values is an array of string values. If the operator is In or
5281 // NotIn,
5282 // the values array must be non-empty. If the operator is Exists
5283 // or DoesNotExist,
5284 // the values array must be empty. This array is replaced during a
5285 // strategic
5286 // merge patch.
5287 "values"?: [...string]
5288 }]
5289
5290 // matchLabels is a map of {key,value} pairs. A single {key,value}
5291 // in the matchLabels
5292 // map is equivalent to an element of matchExpressions, whose key
5293 // field is "key", the
5294 // operator is "In", and the values array contains only "value".
5295 // The requirements are ANDed.
5296 "matchLabels"?: {
5297 [string]: string
5298 }
5299 }
5300 }
5301
5302 // Roles is the list of namespaced role names for the user.
5303 "roles"?: [...string]
5304
5305 // Subjects is the list of subject names like users, user groups,
5306 // and service accounts.
5307 "subjects"?: [...{
5308 // APIGroup holds the API group of the referenced subject.
5309 // Defaults to "" for ServiceAccount subjects.
5310 // Defaults to "rbac.authorization.k8s.io" for User and Group
5311 // subjects.
5312 "apiGroup"?: string
5313
5314 // Kind of object being referenced. Values defined by this API
5315 // group are "User", "Group", and "ServiceAccount".
5316 // If the Authorizer does not recognized the kind value, the
5317 // Authorizer should report an error.
5318 "kind"!: string
5319
5320 // Name of the object being referenced.
5321 "name"!: string
5322
5323 // Namespace of the referenced object. If the object kind is
5324 // non-namespace, such as "User" or "Group", and this value is
5325 // not empty
5326 // the Authorizer should report an error.
5327 "namespace"?: string
5328 }]
5329 }]
5330
5331 // Any allows specifying resources which will be ORed
5332 "any"?: [...{
5333 // ClusterRoles is the list of cluster-wide role names for the
5334 // user.
5335 "clusterRoles"?: [...string]
5336
5337 // ResourceDescription contains information about the resource
5338 // being created or modified.
5339 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5340 "name"!: _
5341 "names"!: _
5342 }]) & {
5343 // Annotations is a map of annotations (key-value pairs of type
5344 // string). Annotation keys
5345 // and values support the wildcard characters "*" (matches zero or
5346 // many characters) and
5347 // "?" (matches at least one character).
5348 "annotations"?: [string]: string
5349
5350 // Kinds is a list of resource kinds.
5351 "kinds"?: [...string]
5352
5353 // Name is the name of the resource. The name supports wildcard
5354 // characters
5355 // "*" (matches zero or many characters) and "?" (at least one
5356 // character).
5357 // NOTE: "Name" is being deprecated in favor of "Names".
5358 "name"?: string
5359
5360 // Names are the names of the resources. Each name supports
5361 // wildcard characters
5362 // "*" (matches zero or many characters) and "?" (at least one
5363 // character).
5364 "names"?: [...string]
5365
5366 // NamespaceSelector is a label selector for the resource
5367 // namespace. Label keys and values
5368 // in `matchLabels` support the wildcard characters `*` (matches
5369 // zero or many characters)
5370 // and `?` (matches one character).Wildcards allows writing label
5371 // selectors like
5372 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5373 // any key and value but
5374 // does not match an empty label set.
5375 "namespaceSelector"?: {
5376 // matchExpressions is a list of label selector requirements. The
5377 // requirements are ANDed.
5378 "matchExpressions"?: [...{
5379 // key is the label key that the selector applies to.
5380 "key"!: string
5381
5382 // operator represents a key's relationship to a set of values.
5383 // Valid operators are In, NotIn, Exists and DoesNotExist.
5384 "operator"!: string
5385
5386 // values is an array of string values. If the operator is In or
5387 // NotIn,
5388 // the values array must be non-empty. If the operator is Exists
5389 // or DoesNotExist,
5390 // the values array must be empty. This array is replaced during a
5391 // strategic
5392 // merge patch.
5393 "values"?: [...string]
5394 }]
5395
5396 // matchLabels is a map of {key,value} pairs. A single {key,value}
5397 // in the matchLabels
5398 // map is equivalent to an element of matchExpressions, whose key
5399 // field is "key", the
5400 // operator is "In", and the values array contains only "value".
5401 // The requirements are ANDed.
5402 "matchLabels"?: {
5403 [string]: string
5404 }
5405 }
5406
5407 // Namespaces is a list of namespaces names. Each name supports
5408 // wildcard characters
5409 // "*" (matches zero or many characters) and "?" (at least one
5410 // character).
5411 "namespaces"?: [...string]
5412
5413 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5414 // "DELETE"], which are used to match a specific action.
5415 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5416
5417 // Selector is a label selector. Label keys and values in
5418 // `matchLabels` support the wildcard
5419 // characters `*` (matches zero or many characters) and `?`
5420 // (matches one character).
5421 // Wildcards allows writing label selectors like
5422 // ["storage.k8s.io/*": "*"]. Note that
5423 // using ["*" : "*"] matches any key and value but does not match
5424 // an empty label set.
5425 "selector"?: {
5426 // matchExpressions is a list of label selector requirements. The
5427 // requirements are ANDed.
5428 "matchExpressions"?: [...{
5429 // key is the label key that the selector applies to.
5430 "key"!: string
5431
5432 // operator represents a key's relationship to a set of values.
5433 // Valid operators are In, NotIn, Exists and DoesNotExist.
5434 "operator"!: string
5435
5436 // values is an array of string values. If the operator is In or
5437 // NotIn,
5438 // the values array must be non-empty. If the operator is Exists
5439 // or DoesNotExist,
5440 // the values array must be empty. This array is replaced during a
5441 // strategic
5442 // merge patch.
5443 "values"?: [...string]
5444 }]
5445
5446 // matchLabels is a map of {key,value} pairs. A single {key,value}
5447 // in the matchLabels
5448 // map is equivalent to an element of matchExpressions, whose key
5449 // field is "key", the
5450 // operator is "In", and the values array contains only "value".
5451 // The requirements are ANDed.
5452 "matchLabels"?: {
5453 [string]: string
5454 }
5455 }
5456 }
5457
5458 // Roles is the list of namespaced role names for the user.
5459 "roles"?: [...string]
5460
5461 // Subjects is the list of subject names like users, user groups,
5462 // and service accounts.
5463 "subjects"?: [...{
5464 // APIGroup holds the API group of the referenced subject.
5465 // Defaults to "" for ServiceAccount subjects.
5466 // Defaults to "rbac.authorization.k8s.io" for User and Group
5467 // subjects.
5468 "apiGroup"?: string
5469
5470 // Kind of object being referenced. Values defined by this API
5471 // group are "User", "Group", and "ServiceAccount".
5472 // If the Authorizer does not recognized the kind value, the
5473 // Authorizer should report an error.
5474 "kind"!: string
5475
5476 // Name of the object being referenced.
5477 "name"!: string
5478
5479 // Namespace of the referenced object. If the object kind is
5480 // non-namespace, such as "User" or "Group", and this value is
5481 // not empty
5482 // the Authorizer should report an error.
5483 "namespace"?: string
5484 }]
5485 }]
5486
5487 // ClusterRoles is the list of cluster-wide role names for the
5488 // user.
5489 "clusterRoles"?: [...string]
5490
5491 // ResourceDescription contains information about the resource
5492 // being created or modified.
5493 // Requires at least one tag to be specified when under
5494 // MatchResources.
5495 // Specifying ResourceDescription directly under match is being
5496 // deprecated.
5497 // Please specify under "any" or "all" instead.
5498 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5499 "name"!: _
5500 "names"!: _
5501 }]) & {
5502 // Annotations is a map of annotations (key-value pairs of type
5503 // string). Annotation keys
5504 // and values support the wildcard characters "*" (matches zero or
5505 // many characters) and
5506 // "?" (matches at least one character).
5507 "annotations"?: [string]: string
5508
5509 // Kinds is a list of resource kinds.
5510 "kinds"?: [...string]
5511
5512 // Name is the name of the resource. The name supports wildcard
5513 // characters
5514 // "*" (matches zero or many characters) and "?" (at least one
5515 // character).
5516 // NOTE: "Name" is being deprecated in favor of "Names".
5517 "name"?: string
5518
5519 // Names are the names of the resources. Each name supports
5520 // wildcard characters
5521 // "*" (matches zero or many characters) and "?" (at least one
5522 // character).
5523 "names"?: [...string]
5524
5525 // NamespaceSelector is a label selector for the resource
5526 // namespace. Label keys and values
5527 // in `matchLabels` support the wildcard characters `*` (matches
5528 // zero or many characters)
5529 // and `?` (matches one character).Wildcards allows writing label
5530 // selectors like
5531 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5532 // any key and value but
5533 // does not match an empty label set.
5534 "namespaceSelector"?: {
5535 // matchExpressions is a list of label selector requirements. The
5536 // requirements are ANDed.
5537 "matchExpressions"?: [...{
5538 // key is the label key that the selector applies to.
5539 "key"!: string
5540
5541 // operator represents a key's relationship to a set of values.
5542 // Valid operators are In, NotIn, Exists and DoesNotExist.
5543 "operator"!: string
5544
5545 // values is an array of string values. If the operator is In or
5546 // NotIn,
5547 // the values array must be non-empty. If the operator is Exists
5548 // or DoesNotExist,
5549 // the values array must be empty. This array is replaced during a
5550 // strategic
5551 // merge patch.
5552 "values"?: [...string]
5553 }]
5554
5555 // matchLabels is a map of {key,value} pairs. A single {key,value}
5556 // in the matchLabels
5557 // map is equivalent to an element of matchExpressions, whose key
5558 // field is "key", the
5559 // operator is "In", and the values array contains only "value".
5560 // The requirements are ANDed.
5561 "matchLabels"?: {
5562 [string]: string
5563 }
5564 }
5565
5566 // Namespaces is a list of namespaces names. Each name supports
5567 // wildcard characters
5568 // "*" (matches zero or many characters) and "?" (at least one
5569 // character).
5570 "namespaces"?: [...string]
5571
5572 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5573 // "DELETE"], which are used to match a specific action.
5574 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5575
5576 // Selector is a label selector. Label keys and values in
5577 // `matchLabels` support the wildcard
5578 // characters `*` (matches zero or many characters) and `?`
5579 // (matches one character).
5580 // Wildcards allows writing label selectors like
5581 // ["storage.k8s.io/*": "*"]. Note that
5582 // using ["*" : "*"] matches any key and value but does not match
5583 // an empty label set.
5584 "selector"?: {
5585 // matchExpressions is a list of label selector requirements. The
5586 // requirements are ANDed.
5587 "matchExpressions"?: [...{
5588 // key is the label key that the selector applies to.
5589 "key"!: string
5590
5591 // operator represents a key's relationship to a set of values.
5592 // Valid operators are In, NotIn, Exists and DoesNotExist.
5593 "operator"!: string
5594
5595 // values is an array of string values. If the operator is In or
5596 // NotIn,
5597 // the values array must be non-empty. If the operator is Exists
5598 // or DoesNotExist,
5599 // the values array must be empty. This array is replaced during a
5600 // strategic
5601 // merge patch.
5602 "values"?: [...string]
5603 }]
5604
5605 // matchLabels is a map of {key,value} pairs. A single {key,value}
5606 // in the matchLabels
5607 // map is equivalent to an element of matchExpressions, whose key
5608 // field is "key", the
5609 // operator is "In", and the values array contains only "value".
5610 // The requirements are ANDed.
5611 "matchLabels"?: {
5612 [string]: string
5613 }
5614 }
5615 }
5616
5617 // Roles is the list of namespaced role names for the user.
5618 "roles"?: [...string]
5619
5620 // Subjects is the list of subject names like users, user groups,
5621 // and service accounts.
5622 "subjects"?: [...{
5623 // APIGroup holds the API group of the referenced subject.
5624 // Defaults to "" for ServiceAccount subjects.
5625 // Defaults to "rbac.authorization.k8s.io" for User and Group
5626 // subjects.
5627 "apiGroup"?: string
5628
5629 // Kind of object being referenced. Values defined by this API
5630 // group are "User", "Group", and "ServiceAccount".
5631 // If the Authorizer does not recognized the kind value, the
5632 // Authorizer should report an error.
5633 "kind"!: string
5634
5635 // Name of the object being referenced.
5636 "name"!: string
5637
5638 // Namespace of the referenced object. If the object kind is
5639 // non-namespace, such as "User" or "Group", and this value is
5640 // not empty
5641 // the Authorizer should report an error.
5642 "namespace"?: string
5643 }]
5644 }
5645
5646 // Mutation is used to modify matching resources.
5647 "mutate"?: {
5648 // ForEach applies mutation rules to a list of sub-elements by
5649 // creating a context for each entry in the list and looping over
5650 // it to apply the specified logic.
5651 "foreach"?: [...{
5652 // Context defines variables and data sources that can be used
5653 // during rule execution.
5654 "context"?: [...matchN(1, [{
5655 "configMap"!: _
5656 }, {
5657 "apiCall"!: _
5658 }, {
5659 "imageRegistry"!: _
5660 }, {
5661 "variable"!: _
5662 }, {
5663 "globalReference"!: _
5664 }]) & {
5665 // APICall is an HTTP request to the Kubernetes API server, or
5666 // other JSON web service.
5667 // The data returned is stored in the context with the name for
5668 // the context entry.
5669 "apiCall"?: {
5670 // The data object specifies the POST data sent to the server.
5671 // Only applicable when the method field is set to POST.
5672 "data"?: [...{
5673 // Key is a unique identifier for the data value
5674 "key"!: string
5675
5676 // Value is the data value
5677 "value"!: null | bool | number | string | [...] | {
5678 ...
5679 }
5680 }]
5681
5682 // Default is an optional arbitrary JSON object that the context
5683 // value is set to, if the apiCall returns error.
5684 "default"?: null | bool | number | string | [...] | {
5685 ...
5686 }
5687
5688 // JMESPath is an optional JSON Match Expression that can be used
5689 // to
5690 // transform the JSON response returned from the server. For
5691 // example
5692 // a JMESPath of "items | length(@)" applied to the API server
5693 // response
5694 // for the URLPath "/apis/apps/v1/deployments" will return the
5695 // total count
5696 // of deployments across all namespaces.
5697 "jmesPath"?: string
5698
5699 // Method is the HTTP request type (GET or POST). Defaults to GET.
5700 "method"?: "GET" | "POST"
5701
5702 // Service is an API call to a JSON web service.
5703 // This is used for non-Kubernetes API server calls.
5704 // It's mutually exclusive with the URLPath field.
5705 "service"?: {
5706 // CABundle is a PEM encoded CA bundle which will be used to
5707 // validate
5708 // the server certificate.
5709 "caBundle"?: string
5710
5711 // Headers is a list of optional HTTP headers to be included in
5712 // the request.
5713 "headers"?: [...{
5714 // Key is the header key
5715 "key"!: string
5716
5717 // Value is the header value
5718 "value"!: string
5719 }]
5720
5721 // URL is the JSON web service URL. A typical form is
5722 // `https://{service}.{namespace}:{port}/{path}`.
5723 "url"!: string
5724 }
5725
5726 // URLPath is the URL path to be used in the HTTP GET or POST
5727 // request to the
5728 // Kubernetes API server (e.g. "/api/v1/namespaces" or
5729 // "/apis/apps/v1/deployments").
5730 // The format required is the same format used by the `kubectl get
5731 // --raw` command.
5732 // See
5733 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5734 // for details.
5735 // It's mutually exclusive with the Service field.
5736 "urlPath"?: string
5737 }
5738
5739 // ConfigMap is the ConfigMap reference.
5740 "configMap"?: {
5741 // Name is the ConfigMap name.
5742 "name"!: string
5743
5744 // Namespace is the ConfigMap namespace.
5745 "namespace"?: string
5746 }
5747
5748 // GlobalContextEntryReference is a reference to a cached global
5749 // context entry.
5750 "globalReference"?: {
5751 // JMESPath is an optional JSON Match Expression that can be used
5752 // to
5753 // transform the JSON response returned from the server. For
5754 // example
5755 // a JMESPath of "items | length(@)" applied to the API server
5756 // response
5757 // for the URLPath "/apis/apps/v1/deployments" will return the
5758 // total count
5759 // of deployments across all namespaces.
5760 "jmesPath"?: string
5761
5762 // Name of the global context entry
5763 "name"!: string
5764 }
5765
5766 // ImageRegistry defines requests to an OCI/Docker V2 registry to
5767 // fetch image
5768 // details.
5769 "imageRegistry"?: {
5770 // ImageRegistryCredentials provides credentials that will be used
5771 // for authentication with registry
5772 "imageRegistryCredentials"?: {
5773 // AllowInsecureRegistry allows insecure access to a registry.
5774 "allowInsecureRegistry"?: bool
5775
5776 // Providers specifies a list of OCI Registry names, whose
5777 // authentication providers are provided.
5778 // It can be of one of these values:
5779 // default,google,azure,amazon,github.
5780 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5781
5782 // Secrets specifies a list of secrets that are provided for
5783 // credentials.
5784 // Secrets must live in the Kyverno namespace.
5785 "secrets"?: [...string]
5786 }
5787
5788 // JMESPath is an optional JSON Match Expression that can be used
5789 // to
5790 // transform the ImageData struct returned as a result of
5791 // processing
5792 // the image reference.
5793 "jmesPath"?: string
5794
5795 // Reference is image reference to a container image in the
5796 // registry.
5797 // Example: ghcr.io/kyverno/kyverno:latest
5798 "reference"!: string
5799 }
5800
5801 // Name is the variable name.
5802 "name"!: string
5803
5804 // Variable defines an arbitrary JMESPath context variable that
5805 // can be defined inline.
5806 "variable"?: {
5807 // Default is an optional arbitrary JSON object that the variable
5808 // may take if the JMESPath
5809 // expression evaluates to nil
5810 "default"?: null | bool | number | string | [...] | {
5811 ...
5812 }
5813
5814 // JMESPath is an optional JMESPath Expression that can be used to
5815 // transform the variable.
5816 "jmesPath"?: string
5817
5818 // Value is any arbitrary JSON object representable in YAML or
5819 // JSON form.
5820 "value"?: null | bool | number | string | [...] | {
5821 ...
5822 }
5823 }
5824 }]
5825
5826 // Foreach declares a nested foreach iterator
5827 "foreach"?: null | bool | number | string | [...] | {
5828 ...
5829 }
5830
5831 // List specifies a JMESPath expression that results in one or
5832 // more elements
5833 // to which the validation logic is applied.
5834 "list"?: string
5835
5836 // Order defines the iteration order on the list.
5837 // Can be Ascending to iterate from first to last element or
5838 // Descending to iterate in from last to first element.
5839 "order"?: "Ascending" | "Descending"
5840
5841 // PatchStrategicMerge is a strategic merge patch used to modify
5842 // resources.
5843 // See
5844 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5845 // and
5846 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5847 "patchStrategicMerge"?: null | bool | number | string | [...] | {
5848 ...
5849 }
5850
5851 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5852 // used to modify resources.
5853 // See https://tools.ietf.org/html/rfc6902 and
5854 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5855 "patchesJson6902"?: string
5856
5857 // AnyAllConditions are used to determine if a policy rule should
5858 // be applied by evaluating a
5859 // set of conditions. The declaration can contain nested `any` or
5860 // `all` statements.
5861 // See: https://kyverno.io/docs/writing-policies/preconditions/
5862 "preconditions"?: {
5863 // AllConditions enable variable-based conditional rule execution.
5864 // This is useful for
5865 // finer control of when an rule is applied. A condition can
5866 // reference object data
5867 // using JMESPath notation.
5868 // Here, all of the conditions need to pass
5869 "all"?: [...{
5870 // Key is the context entry (using JMESPath) for conditional rule
5871 // evaluation.
5872 "key"?: null | bool | number | string | [...] | {
5873 ...
5874 }
5875
5876 // Message is an optional display message
5877 "message"?: string
5878
5879 // Operator is the conditional operation to perform. Valid
5880 // operators are:
5881 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5882 // GreaterThanOrEquals,
5883 // GreaterThan, LessThanOrEquals, LessThan,
5884 // DurationGreaterThanOrEquals, DurationGreaterThan,
5885 // DurationLessThanOrEquals, DurationLessThan
5886 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5887
5888 // Value is the conditional value, or set of values. The values
5889 // can be fixed set
5890 // or can be variables declared using JMESPath.
5891 "value"?: null | bool | number | string | [...] | {
5892 ...
5893 }
5894 }]
5895
5896 // AnyConditions enable variable-based conditional rule execution.
5897 // This is useful for
5898 // finer control of when an rule is applied. A condition can
5899 // reference object data
5900 // using JMESPath notation.
5901 // Here, at least one of the conditions need to pass
5902 "any"?: [...{
5903 // Key is the context entry (using JMESPath) for conditional rule
5904 // evaluation.
5905 "key"?: null | bool | number | string | [...] | {
5906 ...
5907 }
5908
5909 // Message is an optional display message
5910 "message"?: string
5911
5912 // Operator is the conditional operation to perform. Valid
5913 // operators are:
5914 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5915 // GreaterThanOrEquals,
5916 // GreaterThan, LessThanOrEquals, LessThan,
5917 // DurationGreaterThanOrEquals, DurationGreaterThan,
5918 // DurationLessThanOrEquals, DurationLessThan
5919 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5920
5921 // Value is the conditional value, or set of values. The values
5922 // can be fixed set
5923 // or can be variables declared using JMESPath.
5924 "value"?: null | bool | number | string | [...] | {
5925 ...
5926 }
5927 }]
5928 ...
5929 }
5930 }]
5931
5932 // MutateExistingOnPolicyUpdate controls if the mutateExisting
5933 // rule will be applied on policy events.
5934 "mutateExistingOnPolicyUpdate"?: bool
5935
5936 // PatchStrategicMerge is a strategic merge patch used to modify
5937 // resources.
5938 // See
5939 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5940 // and
5941 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5942 "patchStrategicMerge"?: null | bool | number | string | [...] | {
5943 ...
5944 }
5945
5946 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5947 // used to modify resources.
5948 // See https://tools.ietf.org/html/rfc6902 and
5949 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5950 "patchesJson6902"?: string
5951
5952 // Targets defines the target resources to be mutated.
5953 "targets"?: [...{
5954 // APIVersion specifies resource apiVersion.
5955 "apiVersion"?: string
5956
5957 // Context defines variables and data sources that can be used
5958 // during rule execution.
5959 "context"?: [...matchN(1, [{
5960 "configMap"!: _
5961 }, {
5962 "apiCall"!: _
5963 }, {
5964 "imageRegistry"!: _
5965 }, {
5966 "variable"!: _
5967 }, {
5968 "globalReference"!: _
5969 }]) & {
5970 // APICall is an HTTP request to the Kubernetes API server, or
5971 // other JSON web service.
5972 // The data returned is stored in the context with the name for
5973 // the context entry.
5974 "apiCall"?: {
5975 // The data object specifies the POST data sent to the server.
5976 // Only applicable when the method field is set to POST.
5977 "data"?: [...{
5978 // Key is a unique identifier for the data value
5979 "key"!: string
5980
5981 // Value is the data value
5982 "value"!: null | bool | number | string | [...] | {
5983 ...
5984 }
5985 }]
5986
5987 // Default is an optional arbitrary JSON object that the context
5988 // value is set to, if the apiCall returns error.
5989 "default"?: null | bool | number | string | [...] | {
5990 ...
5991 }
5992
5993 // JMESPath is an optional JSON Match Expression that can be used
5994 // to
5995 // transform the JSON response returned from the server. For
5996 // example
5997 // a JMESPath of "items | length(@)" applied to the API server
5998 // response
5999 // for the URLPath "/apis/apps/v1/deployments" will return the
6000 // total count
6001 // of deployments across all namespaces.
6002 "jmesPath"?: string
6003
6004 // Method is the HTTP request type (GET or POST). Defaults to GET.
6005 "method"?: "GET" | "POST"
6006
6007 // Service is an API call to a JSON web service.
6008 // This is used for non-Kubernetes API server calls.
6009 // It's mutually exclusive with the URLPath field.
6010 "service"?: {
6011 // CABundle is a PEM encoded CA bundle which will be used to
6012 // validate
6013 // the server certificate.
6014 "caBundle"?: string
6015
6016 // Headers is a list of optional HTTP headers to be included in
6017 // the request.
6018 "headers"?: [...{
6019 // Key is the header key
6020 "key"!: string
6021
6022 // Value is the header value
6023 "value"!: string
6024 }]
6025
6026 // URL is the JSON web service URL. A typical form is
6027 // `https://{service}.{namespace}:{port}/{path}`.
6028 "url"!: string
6029 }
6030
6031 // URLPath is the URL path to be used in the HTTP GET or POST
6032 // request to the
6033 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6034 // "/apis/apps/v1/deployments").
6035 // The format required is the same format used by the `kubectl get
6036 // --raw` command.
6037 // See
6038 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6039 // for details.
6040 // It's mutually exclusive with the Service field.
6041 "urlPath"?: string
6042 }
6043
6044 // ConfigMap is the ConfigMap reference.
6045 "configMap"?: {
6046 // Name is the ConfigMap name.
6047 "name"!: string
6048
6049 // Namespace is the ConfigMap namespace.
6050 "namespace"?: string
6051 }
6052
6053 // GlobalContextEntryReference is a reference to a cached global
6054 // context entry.
6055 "globalReference"?: {
6056 // JMESPath is an optional JSON Match Expression that can be used
6057 // to
6058 // transform the JSON response returned from the server. For
6059 // example
6060 // a JMESPath of "items | length(@)" applied to the API server
6061 // response
6062 // for the URLPath "/apis/apps/v1/deployments" will return the
6063 // total count
6064 // of deployments across all namespaces.
6065 "jmesPath"?: string
6066
6067 // Name of the global context entry
6068 "name"!: string
6069 }
6070
6071 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6072 // fetch image
6073 // details.
6074 "imageRegistry"?: {
6075 // ImageRegistryCredentials provides credentials that will be used
6076 // for authentication with registry
6077 "imageRegistryCredentials"?: {
6078 // AllowInsecureRegistry allows insecure access to a registry.
6079 "allowInsecureRegistry"?: bool
6080
6081 // Providers specifies a list of OCI Registry names, whose
6082 // authentication providers are provided.
6083 // It can be of one of these values:
6084 // default,google,azure,amazon,github.
6085 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6086
6087 // Secrets specifies a list of secrets that are provided for
6088 // credentials.
6089 // Secrets must live in the Kyverno namespace.
6090 "secrets"?: [...string]
6091 }
6092
6093 // JMESPath is an optional JSON Match Expression that can be used
6094 // to
6095 // transform the ImageData struct returned as a result of
6096 // processing
6097 // the image reference.
6098 "jmesPath"?: string
6099
6100 // Reference is image reference to a container image in the
6101 // registry.
6102 // Example: ghcr.io/kyverno/kyverno:latest
6103 "reference"!: string
6104 }
6105
6106 // Name is the variable name.
6107 "name"!: string
6108
6109 // Variable defines an arbitrary JMESPath context variable that
6110 // can be defined inline.
6111 "variable"?: {
6112 // Default is an optional arbitrary JSON object that the variable
6113 // may take if the JMESPath
6114 // expression evaluates to nil
6115 "default"?: null | bool | number | string | [...] | {
6116 ...
6117 }
6118
6119 // JMESPath is an optional JMESPath Expression that can be used to
6120 // transform the variable.
6121 "jmesPath"?: string
6122
6123 // Value is any arbitrary JSON object representable in YAML or
6124 // JSON form.
6125 "value"?: null | bool | number | string | [...] | {
6126 ...
6127 }
6128 }
6129 }]
6130
6131 // Kind specifies resource kind.
6132 "kind"?: string
6133
6134 // Name specifies the resource name.
6135 "name"?: string
6136
6137 // Namespace specifies resource namespace.
6138 "namespace"?: string
6139
6140 // Preconditions are used to determine if a policy rule should be
6141 // applied by evaluating a
6142 // set of conditions. The declaration can contain nested `any` or
6143 // `all` statements. A direct list
6144 // of conditions (without `any` or `all` statements is supported
6145 // for backwards compatibility but
6146 // will be deprecated in the next major release.
6147 // See: https://kyverno.io/docs/writing-policies/preconditions/
6148 "preconditions"?: null | bool | number | string | [...] | {
6149 ...
6150 }
6151
6152 // Selector allows you to select target resources with their
6153 // labels.
6154 "selector"?: {
6155 // matchExpressions is a list of label selector requirements. The
6156 // requirements are ANDed.
6157 "matchExpressions"?: [...{
6158 // key is the label key that the selector applies to.
6159 "key"!: string
6160
6161 // operator represents a key's relationship to a set of values.
6162 // Valid operators are In, NotIn, Exists and DoesNotExist.
6163 "operator"!: string
6164
6165 // values is an array of string values. If the operator is In or
6166 // NotIn,
6167 // the values array must be non-empty. If the operator is Exists
6168 // or DoesNotExist,
6169 // the values array must be empty. This array is replaced during a
6170 // strategic
6171 // merge patch.
6172 "values"?: [...string]
6173 }]
6174
6175 // matchLabels is a map of {key,value} pairs. A single {key,value}
6176 // in the matchLabels
6177 // map is equivalent to an element of matchExpressions, whose key
6178 // field is "key", the
6179 // operator is "In", and the values array contains only "value".
6180 // The requirements are ANDed.
6181 "matchLabels"?: {
6182 [string]: string
6183 }
6184 }
6185
6186 // UID specifies the resource uid.
6187 "uid"?: string
6188 }]
6189 }
6190
6191 // Name is a label to identify the rule, It must be unique within
6192 // the policy.
6193 "name"!: strings.MaxRunes(
6194 63)
6195
6196 // Preconditions are used to determine if a policy rule should be
6197 // applied by evaluating a
6198 // set of conditions. The declaration can contain nested `any` or
6199 // `all` statements. A direct list
6200 // of conditions (without `any` or `all` statements is supported
6201 // for backwards compatibility but
6202 // will be deprecated in the next major release.
6203 // See: https://kyverno.io/docs/writing-policies/preconditions/
6204 "preconditions"?: null | bool | number | string | [...] | {
6205 ...
6206 }
6207
6208 // ReportProperties are the additional properties from the rule
6209 // that will be added to the policy report result
6210 "reportProperties"?: {
6211 [string]: string
6212 }
6213
6214 // SkipBackgroundRequests bypasses admission requests that are
6215 // sent by the background controller.
6216 // The default value is set to "true", it must be set to "false"
6217 // to apply
6218 // generate and mutateExisting rules to those requests.
6219 "skipBackgroundRequests"?: bool
6220
6221 // Validation is used to validate matching resources.
6222 "validate"?: {
6223 // AllowExistingViolations allows prexisting violating resources
6224 // to continue violating a policy.
6225 "allowExistingViolations"?: bool
6226
6227 // AnyPattern specifies list of validation patterns. At least one
6228 // of the patterns
6229 // must be satisfied for the validation rule to succeed.
6230 "anyPattern"?: null | bool | number | string | [...] | {
6231 ...
6232 }
6233
6234 // Assert defines a kyverno-json assertion tree.
6235 "assert"?: {
6236 ...
6237 }
6238
6239 // CEL allows validation checks using the Common Expression
6240 // Language
6241 // (https://kubernetes.io/docs/reference/using-api/cel/).
6242 "cel"?: {
6243 // AuditAnnotations contains CEL expressions which are used to
6244 // produce audit annotations for the audit event of the API
6245 // request.
6246 "auditAnnotations"?: [...{
6247 // key specifies the audit annotation key. The audit annotation
6248 // keys of
6249 // a ValidatingAdmissionPolicy must be unique. The key must be a
6250 // qualified
6251 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6252 // length.
6253 //
6254 // The key is combined with the resource name of the
6255 // ValidatingAdmissionPolicy to construct an audit annotation key:
6256 // "{ValidatingAdmissionPolicy name}/{key}".
6257 //
6258 // If an admission webhook uses the same resource name as this
6259 // ValidatingAdmissionPolicy
6260 // and the same audit annotation key, the annotation key will be
6261 // identical.
6262 // In this case, the first annotation written with the key will be
6263 // included
6264 // in the audit event and all subsequent annotations with the same
6265 // key
6266 // will be discarded.
6267 //
6268 // Required.
6269 "key"!: string
6270
6271 // valueExpression represents the expression which is evaluated by
6272 // CEL to
6273 // produce an audit annotation value. The expression must evaluate
6274 // to either
6275 // a string or null value. If the expression evaluates to a
6276 // string, the
6277 // audit annotation is included with the string value. If the
6278 // expression
6279 // evaluates to null or empty string the audit annotation will be
6280 // omitted.
6281 // The valueExpression may be no longer than 5kb in length.
6282 // If the result of the valueExpression is more than 10kb in
6283 // length, it
6284 // will be truncated to 10kb.
6285 //
6286 // If multiple ValidatingAdmissionPolicyBinding resources match an
6287 // API request, then the valueExpression will be evaluated for
6288 // each binding. All unique values produced by the
6289 // valueExpressions
6290 // will be joined together in a comma-separated list.
6291 //
6292 // Required.
6293 "valueExpression"!: string
6294 }]
6295
6296 // Expressions is a list of CELExpression types.
6297 "expressions"?: [...{
6298 // Expression represents the expression which will be evaluated by
6299 // CEL.
6300 // ref: https://github.com/google/cel-spec
6301 // CEL expressions have access to the contents of the API
6302 // request/response, organized into CEL variables as well as some
6303 // other useful variables:
6304 //
6305 // - 'object' - The object from the incoming request. The value is
6306 // null for DELETE requests.
6307 // - 'oldObject' - The existing object. The value is null for
6308 // CREATE requests.
6309 // - 'request' - Attributes of the API
6310 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6311 // - 'params' - Parameter resource referred to by the policy
6312 // binding being evaluated. Only populated if the policy has a
6313 // ParamKind.
6314 // - 'namespaceObject' - The namespace object that the incoming
6315 // object belongs to. The value is null for cluster-scoped
6316 // resources.
6317 // - 'variables' - Map of composited variables, from its name to
6318 // its lazily evaluated value.
6319 // For example, a variable named 'foo' can be accessed as
6320 // 'variables.foo'.
6321 // - 'authorizer' - A CEL Authorizer. May be used to perform
6322 // authorization checks for the principal (user or service
6323 // account) of the request.
6324 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6325 // - 'authorizer.requestResource' - A CEL ResourceCheck
6326 // constructed from the 'authorizer' and configured with the
6327 // request resource.
6328 //
6329 // The `apiVersion`, `kind`, `metadata.name` and
6330 // `metadata.generateName` are always accessible from the root of
6331 // the
6332 // object. No other metadata properties are accessible.
6333 //
6334 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6335 // are accessible.
6336 // Accessible property names are escaped according to the
6337 // following rules when accessed in the expression:
6338 // - '__' escapes to '__underscores__'
6339 // - '.' escapes to '__dot__'
6340 // - '-' escapes to '__dash__'
6341 // - '/' escapes to '__slash__'
6342 // - Property names that exactly match a CEL RESERVED keyword
6343 // escape to '__{keyword}__'. The keywords are:
6344 // "true", "false", "null", "in", "as", "break", "const",
6345 // "continue", "else", "for", "function", "if",
6346 // "import", "let", "loop", "package", "namespace", "return".
6347 // Examples:
6348 // - Expression accessing a property named "namespace":
6349 // {"Expression": "object.__namespace__ > 0"}
6350 // - Expression accessing a property named "x-prop":
6351 // {"Expression": "object.x__dash__prop > 0"}
6352 // - Expression accessing a property named "redact__d":
6353 // {"Expression": "object.redact__underscores__d > 0"}
6354 //
6355 // Equality on arrays with list type of 'set' or 'map' ignores
6356 // element order, i.e. [1, 2] == [2, 1].
6357 // Concatenation on arrays with x-kubernetes-list-type use the
6358 // semantics of the list type:
6359 // - 'set': `X + Y` performs a union where the array positions of
6360 // all elements in `X` are preserved and
6361 // non-intersecting elements in `Y` are appended, retaining their
6362 // partial order.
6363 // - 'map': `X + Y` performs a merge where the array positions of
6364 // all keys in `X` are preserved but the values
6365 // are overwritten by values in `Y` when the key sets of `X` and
6366 // `Y` intersect. Elements in `Y` with
6367 // non-intersecting keys are appended, retaining their partial
6368 // order.
6369 // Required.
6370 "expression"!: string
6371
6372 // Message represents the message displayed when validation fails.
6373 // The message is required if the Expression contains
6374 // line breaks. The message must not contain line breaks.
6375 // If unset, the message is "failed rule: {Rule}".
6376 // e.g. "must be a URL with the host matching spec.host"
6377 // If the Expression contains line breaks. Message is required.
6378 // The message must not contain line breaks.
6379 // If unset, the message is "failed Expression: {Expression}".
6380 "message"?: string
6381
6382 // messageExpression declares a CEL expression that evaluates to
6383 // the validation failure message that is returned when this rule
6384 // fails.
6385 // Since messageExpression is used as a failure message, it must
6386 // evaluate to a string.
6387 // If both message and messageExpression are present on a
6388 // validation, then messageExpression will be used if validation
6389 // fails.
6390 // If messageExpression results in a runtime error, the runtime
6391 // error is logged, and the validation failure message is
6392 // produced
6393 // as if the messageExpression field were unset. If
6394 // messageExpression evaluates to an empty string, a string with
6395 // only spaces, or a string
6396 // that contains line breaks, then the validation failure message
6397 // will also be produced as if the messageExpression field were
6398 // unset, and
6399 // the fact that messageExpression produced an empty string/string
6400 // with only spaces/string with line breaks will be logged.
6401 // messageExpression has access to all the same variables as the
6402 // `expression` except for 'authorizer' and
6403 // 'authorizer.requestResource'.
6404 // Example:
6405 // "object.x must be less than max ("+string(params.max)+")"
6406 "messageExpression"?: string
6407
6408 // Reason represents a machine-readable description of why this
6409 // validation failed.
6410 // If this is the first validation in the list to fail, this
6411 // reason, as well as the
6412 // corresponding HTTP response code, are used in the
6413 // HTTP response to the client.
6414 // The currently supported reasons are: "Unauthorized",
6415 // "Forbidden", "Invalid", "RequestEntityTooLarge".
6416 // If not set, StatusReasonInvalid is used in the response to the
6417 // client.
6418 "reason"?: string
6419 }]
6420
6421 // ParamKind is a tuple of Group Kind and Version.
6422 "paramKind"?: {
6423 // APIVersion is the API group version the resources belong to.
6424 // In format of "group/version".
6425 // Required.
6426 "apiVersion"?: string
6427
6428 // Kind is the API kind the resources belong to.
6429 // Required.
6430 "kind"?: string
6431 }
6432
6433 // ParamRef references a parameter resource.
6434 "paramRef"?: {
6435 // name is the name of the resource being referenced.
6436 //
6437 // One of `name` or `selector` must be set, but `name` and
6438 // `selector` are
6439 // mutually exclusive properties. If one is set, the other must be
6440 // unset.
6441 //
6442 // A single parameter used for all admission requests can be
6443 // configured
6444 // by setting the `name` field, leaving `selector` blank, and
6445 // setting namespace
6446 // if `paramKind` is namespace-scoped.
6447 "name"?: string
6448
6449 // namespace is the namespace of the referenced resource. Allows
6450 // limiting
6451 // the search for params to a specific namespace. Applies to both
6452 // `name` and
6453 // `selector` fields.
6454 //
6455 // A per-namespace parameter may be used by specifying a
6456 // namespace-scoped
6457 // `paramKind` in the policy and leaving this field empty.
6458 //
6459 // - If `paramKind` is cluster-scoped, this field MUST be unset.
6460 // Setting this
6461 // field results in a configuration error.
6462 //
6463 // - If `paramKind` is namespace-scoped, the namespace of the
6464 // object being
6465 // evaluated for admission will be used when this field is left
6466 // unset. Take
6467 // care that if this is left empty the binding must not match any
6468 // cluster-scoped
6469 // resources, which will result in an error.
6470 "namespace"?: string
6471
6472 // `parameterNotFoundAction` controls the behavior of the binding
6473 // when the resource
6474 // exists, and name or selector is valid, but there are no
6475 // parameters
6476 // matched by the binding. If the value is set to `Allow`, then no
6477 // matched parameters will be treated as successful validation by
6478 // the binding.
6479 // If set to `Deny`, then no matched parameters will be subject to
6480 // the
6481 // `failurePolicy` of the policy.
6482 //
6483 // Allowed values are `Allow` or `Deny`
6484 //
6485 // Required
6486 "parameterNotFoundAction"?: string
6487
6488 // selector can be used to match multiple param objects based on
6489 // their labels.
6490 // Supply selector: {} to match all resources of the ParamKind.
6491 //
6492 // If multiple params are found, they are all evaluated with the
6493 // policy expressions
6494 // and the results are ANDed together.
6495 //
6496 // One of `name` or `selector` must be set, but `name` and
6497 // `selector` are
6498 // mutually exclusive properties. If one is set, the other must be
6499 // unset.
6500 "selector"?: {
6501 // matchExpressions is a list of label selector requirements. The
6502 // requirements are ANDed.
6503 "matchExpressions"?: [...{
6504 // key is the label key that the selector applies to.
6505 "key"!: string
6506
6507 // operator represents a key's relationship to a set of values.
6508 // Valid operators are In, NotIn, Exists and DoesNotExist.
6509 "operator"!: string
6510
6511 // values is an array of string values. If the operator is In or
6512 // NotIn,
6513 // the values array must be non-empty. If the operator is Exists
6514 // or DoesNotExist,
6515 // the values array must be empty. This array is replaced during a
6516 // strategic
6517 // merge patch.
6518 "values"?: [...string]
6519 }]
6520
6521 // matchLabels is a map of {key,value} pairs. A single {key,value}
6522 // in the matchLabels
6523 // map is equivalent to an element of matchExpressions, whose key
6524 // field is "key", the
6525 // operator is "In", and the values array contains only "value".
6526 // The requirements are ANDed.
6527 "matchLabels"?: {
6528 [string]: string
6529 }
6530 }
6531 }
6532
6533 // Variables contain definitions of variables that can be used in
6534 // composition of other expressions.
6535 // Each variable is defined as a named CEL expression.
6536 // The variables defined here will be available under `variables`
6537 // in other expressions of the policy.
6538 "variables"?: [...{
6539 // Expression is the expression that will be evaluated as the
6540 // value of the variable.
6541 // The CEL expression has access to the same identifiers as the
6542 // CEL expressions in Validation.
6543 "expression"!: string
6544
6545 // Name is the name of the variable. The name must be a valid CEL
6546 // identifier and unique among all variables.
6547 // The variable can be accessed in other expressions through
6548 // `variables`
6549 // For example, if name is "foo", the variable will be available
6550 // as `variables.foo`
6551 "name"!: string
6552 }]
6553 }
6554
6555 // Deny defines conditions used to pass or fail a validation rule.
6556 "deny"?: {
6557 // Multiple conditions can be declared under an `any` or `all`
6558 // statement. A direct list
6559 // of conditions (without `any` or `all` statements) is also
6560 // supported for backwards compatibility
6561 // but will be deprecated in the next major release.
6562 // See:
6563 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
6564 "conditions"?: null | bool | number | string | [...] | {
6565 ...
6566 }
6567 }
6568
6569 // FailureAction defines if a validation policy rule violation
6570 // should block
6571 // the admission review request (Enforce), or allow (Audit) the
6572 // admission review request
6573 // and report an error in a policy report. Optional.
6574 // Allowed values are Audit or Enforce.
6575 "failureAction"?: "Audit" | "Enforce"
6576
6577 // FailureActionOverrides is a Cluster Policy attribute that
6578 // specifies FailureAction
6579 // namespace-wise. It overrides FailureAction for the specified
6580 // namespaces.
6581 "failureActionOverrides"?: [...{
6582 // ValidationFailureAction defines the policy validation failure
6583 // action
6584 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
6585
6586 // A label selector is a label query over a set of resources. The
6587 // result of matchLabels and
6588 // matchExpressions are ANDed. An empty label selector matches all
6589 // objects. A null
6590 // label selector matches no objects.
6591 "namespaceSelector"?: {
6592 // matchExpressions is a list of label selector requirements. The
6593 // requirements are ANDed.
6594 "matchExpressions"?: [...{
6595 // key is the label key that the selector applies to.
6596 "key"!: string
6597
6598 // operator represents a key's relationship to a set of values.
6599 // Valid operators are In, NotIn, Exists and DoesNotExist.
6600 "operator"!: string
6601
6602 // values is an array of string values. If the operator is In or
6603 // NotIn,
6604 // the values array must be non-empty. If the operator is Exists
6605 // or DoesNotExist,
6606 // the values array must be empty. This array is replaced during a
6607 // strategic
6608 // merge patch.
6609 "values"?: [...string]
6610 }]
6611
6612 // matchLabels is a map of {key,value} pairs. A single {key,value}
6613 // in the matchLabels
6614 // map is equivalent to an element of matchExpressions, whose key
6615 // field is "key", the
6616 // operator is "In", and the values array contains only "value".
6617 // The requirements are ANDed.
6618 "matchLabels"?: {
6619 [string]: string
6620 }
6621 }
6622 "namespaces"?: [...string]
6623 }]
6624
6625 // ForEach applies validate rules to a list of sub-elements by
6626 // creating a context for each entry in the list and looping over
6627 // it to apply the specified logic.
6628 "foreach"?: [...{
6629 // AnyPattern specifies list of validation patterns. At least one
6630 // of the patterns
6631 // must be satisfied for the validation rule to succeed.
6632 "anyPattern"?: null | bool | number | string | [...] | {
6633 ...
6634 }
6635
6636 // Context defines variables and data sources that can be used
6637 // during rule execution.
6638 "context"?: [...matchN(1, [{
6639 "configMap"!: _
6640 }, {
6641 "apiCall"!: _
6642 }, {
6643 "imageRegistry"!: _
6644 }, {
6645 "variable"!: _
6646 }, {
6647 "globalReference"!: _
6648 }]) & {
6649 // APICall is an HTTP request to the Kubernetes API server, or
6650 // other JSON web service.
6651 // The data returned is stored in the context with the name for
6652 // the context entry.
6653 "apiCall"?: {
6654 // The data object specifies the POST data sent to the server.
6655 // Only applicable when the method field is set to POST.
6656 "data"?: [...{
6657 // Key is a unique identifier for the data value
6658 "key"!: string
6659
6660 // Value is the data value
6661 "value"!: null | bool | number | string | [...] | {
6662 ...
6663 }
6664 }]
6665
6666 // Default is an optional arbitrary JSON object that the context
6667 // value is set to, if the apiCall returns error.
6668 "default"?: null | bool | number | string | [...] | {
6669 ...
6670 }
6671
6672 // JMESPath is an optional JSON Match Expression that can be used
6673 // to
6674 // transform the JSON response returned from the server. For
6675 // example
6676 // a JMESPath of "items | length(@)" applied to the API server
6677 // response
6678 // for the URLPath "/apis/apps/v1/deployments" will return the
6679 // total count
6680 // of deployments across all namespaces.
6681 "jmesPath"?: string
6682
6683 // Method is the HTTP request type (GET or POST). Defaults to GET.
6684 "method"?: "GET" | "POST"
6685
6686 // Service is an API call to a JSON web service.
6687 // This is used for non-Kubernetes API server calls.
6688 // It's mutually exclusive with the URLPath field.
6689 "service"?: {
6690 // CABundle is a PEM encoded CA bundle which will be used to
6691 // validate
6692 // the server certificate.
6693 "caBundle"?: string
6694
6695 // Headers is a list of optional HTTP headers to be included in
6696 // the request.
6697 "headers"?: [...{
6698 // Key is the header key
6699 "key"!: string
6700
6701 // Value is the header value
6702 "value"!: string
6703 }]
6704
6705 // URL is the JSON web service URL. A typical form is
6706 // `https://{service}.{namespace}:{port}/{path}`.
6707 "url"!: string
6708 }
6709
6710 // URLPath is the URL path to be used in the HTTP GET or POST
6711 // request to the
6712 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6713 // "/apis/apps/v1/deployments").
6714 // The format required is the same format used by the `kubectl get
6715 // --raw` command.
6716 // See
6717 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6718 // for details.
6719 // It's mutually exclusive with the Service field.
6720 "urlPath"?: string
6721 }
6722
6723 // ConfigMap is the ConfigMap reference.
6724 "configMap"?: {
6725 // Name is the ConfigMap name.
6726 "name"!: string
6727
6728 // Namespace is the ConfigMap namespace.
6729 "namespace"?: string
6730 }
6731
6732 // GlobalContextEntryReference is a reference to a cached global
6733 // context entry.
6734 "globalReference"?: {
6735 // JMESPath is an optional JSON Match Expression that can be used
6736 // to
6737 // transform the JSON response returned from the server. For
6738 // example
6739 // a JMESPath of "items | length(@)" applied to the API server
6740 // response
6741 // for the URLPath "/apis/apps/v1/deployments" will return the
6742 // total count
6743 // of deployments across all namespaces.
6744 "jmesPath"?: string
6745
6746 // Name of the global context entry
6747 "name"!: string
6748 }
6749
6750 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6751 // fetch image
6752 // details.
6753 "imageRegistry"?: {
6754 // ImageRegistryCredentials provides credentials that will be used
6755 // for authentication with registry
6756 "imageRegistryCredentials"?: {
6757 // AllowInsecureRegistry allows insecure access to a registry.
6758 "allowInsecureRegistry"?: bool
6759
6760 // Providers specifies a list of OCI Registry names, whose
6761 // authentication providers are provided.
6762 // It can be of one of these values:
6763 // default,google,azure,amazon,github.
6764 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6765
6766 // Secrets specifies a list of secrets that are provided for
6767 // credentials.
6768 // Secrets must live in the Kyverno namespace.
6769 "secrets"?: [...string]
6770 }
6771
6772 // JMESPath is an optional JSON Match Expression that can be used
6773 // to
6774 // transform the ImageData struct returned as a result of
6775 // processing
6776 // the image reference.
6777 "jmesPath"?: string
6778
6779 // Reference is image reference to a container image in the
6780 // registry.
6781 // Example: ghcr.io/kyverno/kyverno:latest
6782 "reference"!: string
6783 }
6784
6785 // Name is the variable name.
6786 "name"!: string
6787
6788 // Variable defines an arbitrary JMESPath context variable that
6789 // can be defined inline.
6790 "variable"?: {
6791 // Default is an optional arbitrary JSON object that the variable
6792 // may take if the JMESPath
6793 // expression evaluates to nil
6794 "default"?: null | bool | number | string | [...] | {
6795 ...
6796 }
6797
6798 // JMESPath is an optional JMESPath Expression that can be used to
6799 // transform the variable.
6800 "jmesPath"?: string
6801
6802 // Value is any arbitrary JSON object representable in YAML or
6803 // JSON form.
6804 "value"?: null | bool | number | string | [...] | {
6805 ...
6806 }
6807 }
6808 }]
6809
6810 // Deny defines conditions used to pass or fail a validation rule.
6811 "deny"?: {
6812 // Multiple conditions can be declared under an `any` or `all`
6813 // statement. A direct list
6814 // of conditions (without `any` or `all` statements) is also
6815 // supported for backwards compatibility
6816 // but will be deprecated in the next major release.
6817 // See:
6818 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
6819 "conditions"?: null | bool | number | string | [...] | {
6820 ...
6821 }
6822 }
6823
6824 // ElementScope specifies whether to use the current list element
6825 // as the scope for validation. Defaults to "true" if not
6826 // specified.
6827 // When set to "false", "request.object" is used as the validation
6828 // scope within the foreach
6829 // block to allow referencing other elements in the subtree.
6830 "elementScope"?: bool
6831
6832 // Foreach declares a nested foreach iterator
6833 "foreach"?: null | bool | number | string | [...] | {
6834 ...
6835 }
6836
6837 // List specifies a JMESPath expression that results in one or
6838 // more elements
6839 // to which the validation logic is applied.
6840 "list"?: string
6841
6842 // Pattern specifies an overlay-style pattern used to check
6843 // resources.
6844 "pattern"?: null | bool | number | string | [...] | {
6845 ...
6846 }
6847
6848 // AnyAllConditions are used to determine if a policy rule should
6849 // be applied by evaluating a
6850 // set of conditions. The declaration can contain nested `any` or
6851 // `all` statements.
6852 // See: https://kyverno.io/docs/writing-policies/preconditions/
6853 "preconditions"?: {
6854 // AllConditions enable variable-based conditional rule execution.
6855 // This is useful for
6856 // finer control of when an rule is applied. A condition can
6857 // reference object data
6858 // using JMESPath notation.
6859 // Here, all of the conditions need to pass
6860 "all"?: [...{
6861 // Key is the context entry (using JMESPath) for conditional rule
6862 // evaluation.
6863 "key"?: null | bool | number | string | [...] | {
6864 ...
6865 }
6866
6867 // Message is an optional display message
6868 "message"?: string
6869
6870 // Operator is the conditional operation to perform. Valid
6871 // operators are:
6872 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6873 // GreaterThanOrEquals,
6874 // GreaterThan, LessThanOrEquals, LessThan,
6875 // DurationGreaterThanOrEquals, DurationGreaterThan,
6876 // DurationLessThanOrEquals, DurationLessThan
6877 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6878
6879 // Value is the conditional value, or set of values. The values
6880 // can be fixed set
6881 // or can be variables declared using JMESPath.
6882 "value"?: null | bool | number | string | [...] | {
6883 ...
6884 }
6885 }]
6886
6887 // AnyConditions enable variable-based conditional rule execution.
6888 // This is useful for
6889 // finer control of when an rule is applied. A condition can
6890 // reference object data
6891 // using JMESPath notation.
6892 // Here, at least one of the conditions need to pass
6893 "any"?: [...{
6894 // Key is the context entry (using JMESPath) for conditional rule
6895 // evaluation.
6896 "key"?: null | bool | number | string | [...] | {
6897 ...
6898 }
6899
6900 // Message is an optional display message
6901 "message"?: string
6902
6903 // Operator is the conditional operation to perform. Valid
6904 // operators are:
6905 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6906 // GreaterThanOrEquals,
6907 // GreaterThan, LessThanOrEquals, LessThan,
6908 // DurationGreaterThanOrEquals, DurationGreaterThan,
6909 // DurationLessThanOrEquals, DurationLessThan
6910 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6911
6912 // Value is the conditional value, or set of values. The values
6913 // can be fixed set
6914 // or can be variables declared using JMESPath.
6915 "value"?: null | bool | number | string | [...] | {
6916 ...
6917 }
6918 }]
6919 ...
6920 }
6921 }]
6922
6923 // Manifest specifies conditions for manifest verification
6924 "manifests"?: {
6925 // AnnotationDomain is custom domain of annotation for message and
6926 // signature. Default is "cosign.sigstore.dev".
6927 "annotationDomain"?: string
6928
6929 // Attestors specified the required attestors (i.e. authorities)
6930 "attestors"?: [...{
6931 // Count specifies the required number of entries that must match.
6932 // If the count is null, all entries must match
6933 // (a logical AND). If the count is 1, at least one entry must
6934 // match (a logical OR). If the count contains a
6935 // value N, then N must be less than or equal to the size of
6936 // entries, and at least N entries must match.
6937 "count"?: int & >=1
6938
6939 // Entries contains the available attestors. An attestor can be a
6940 // static key,
6941 // attributes for keyless verification, or a nested attestor
6942 // declaration.
6943 "entries"?: [...{
6944 // Annotations are used for image verification.
6945 // Every specified key-value pair must exist and match in the
6946 // verified payload.
6947 // The payload may contain other key-value pairs.
6948 "annotations"?: [string]: string
6949
6950 // Attestor is a nested set of Attestor used to specify a more
6951 // complex set of match authorities.
6952 "attestor"?: null | bool | number | string | [...] | {
6953 ...
6954 }
6955
6956 // Certificates specifies one or more certificates.
6957 "certificates"?: {
6958 // Cert is an optional PEM-encoded public certificate.
6959 "cert"?: string
6960
6961 // CertChain is an optional PEM encoded set of certificates used
6962 // to verify.
6963 "certChain"?: string
6964
6965 // CTLog (certificate timestamp log) provides a configuration for
6966 // validation of Signed Certificate
6967 // Timestamps (SCTs). If the value is unset, the default behavior
6968 // by Cosign is used.
6969 "ctlog"?: {
6970 // IgnoreSCT defines whether to use the Signed Certificate
6971 // Timestamp (SCT) log to check for a certificate
6972 // timestamp. Default is false. Set to true if this was opted out
6973 // during signing.
6974 "ignoreSCT"?: bool
6975
6976 // PubKey, if set, is used to validate SCTs against a custom
6977 // source.
6978 "pubkey"?: string
6979
6980 // TSACertChain, if set, is the PEM-encoded certificate chain file
6981 // for the RFC3161 timestamp authority. Must
6982 // contain the root CA certificate. Optionally may contain
6983 // intermediate CA certificates, and
6984 // may contain the leaf TSA certificate if not present in the
6985 // timestamurce.
6986 "tsaCertChain"?: string
6987 }
6988
6989 // Rekor provides configuration for the Rekor transparency log
6990 // service. If an empty object
6991 // is provided the public instance of Rekor
6992 // (https://rekor.sigstore.dev) is used.
6993 "rekor"?: {
6994 // IgnoreTlog skips transparency log verification.
6995 "ignoreTlog"?: bool
6996
6997 // RekorPubKey is an optional PEM-encoded public key to use for a
6998 // custom Rekor.
6999 // If set, this will be used to validate transparency log
7000 // signatures from a custom Rekor.
7001 "pubkey"?: string
7002
7003 // URL is the address of the transparency log. Defaults to the
7004 // public Rekor log instance https://rekor.sigstore.dev.
7005 "url"?: string
7006 }
7007 }
7008
7009 // Keyless is a set of attribute used to verify a Sigstore keyless
7010 // attestor.
7011 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7012 "keyless"?: {
7013 // AdditionalExtensions are certificate-extensions used for
7014 // keyless signing.
7015 "additionalExtensions"?: [string]: string
7016
7017 // CTLog (certificate timestamp log) provides a configuration for
7018 // validation of Signed Certificate
7019 // Timestamps (SCTs). If the value is unset, the default behavior
7020 // by Cosign is used.
7021 "ctlog"?: {
7022 // IgnoreSCT defines whether to use the Signed Certificate
7023 // Timestamp (SCT) log to check for a certificate
7024 // timestamp. Default is false. Set to true if this was opted out
7025 // during signing.
7026 "ignoreSCT"?: bool
7027
7028 // PubKey, if set, is used to validate SCTs against a custom
7029 // source.
7030 "pubkey"?: string
7031
7032 // TSACertChain, if set, is the PEM-encoded certificate chain file
7033 // for the RFC3161 timestamp authority. Must
7034 // contain the root CA certificate. Optionally may contain
7035 // intermediate CA certificates, and
7036 // may contain the leaf TSA certificate if not present in the
7037 // timestamurce.
7038 "tsaCertChain"?: string
7039 }
7040
7041 // Issuer is the certificate issuer used for keyless signing.
7042 "issuer"?: string
7043
7044 // IssuerRegExp is the regular expression to match certificate
7045 // issuer used for keyless signing.
7046 "issuerRegExp"?: string
7047
7048 // Rekor provides configuration for the Rekor transparency log
7049 // service. If an empty object
7050 // is provided the public instance of Rekor
7051 // (https://rekor.sigstore.dev) is used.
7052 "rekor"?: {
7053 // IgnoreTlog skips transparency log verification.
7054 "ignoreTlog"?: bool
7055
7056 // RekorPubKey is an optional PEM-encoded public key to use for a
7057 // custom Rekor.
7058 // If set, this will be used to validate transparency log
7059 // signatures from a custom Rekor.
7060 "pubkey"?: string
7061
7062 // URL is the address of the transparency log. Defaults to the
7063 // public Rekor log instance https://rekor.sigstore.dev.
7064 "url"?: string
7065 }
7066
7067 // Roots is an optional set of PEM encoded trusted root
7068 // certificates.
7069 // If not provided, the system roots are used.
7070 "roots"?: string
7071
7072 // Subject is the verified identity used for keyless signing, for
7073 // example the email address.
7074 "subject"?: string
7075
7076 // SubjectRegExp is the regular expression to match identity used
7077 // for keyless signing, for example the email address.
7078 "subjectRegExp"?: string
7079 }
7080
7081 // Keys specifies one or more public keys.
7082 "keys"?: {
7083 // CTLog (certificate timestamp log) provides a configuration for
7084 // validation of Signed Certificate
7085 // Timestamps (SCTs). If the value is unset, the default behavior
7086 // by Cosign is used.
7087 "ctlog"?: {
7088 // IgnoreSCT defines whether to use the Signed Certificate
7089 // Timestamp (SCT) log to check for a certificate
7090 // timestamp. Default is false. Set to true if this was opted out
7091 // during signing.
7092 "ignoreSCT"?: bool
7093
7094 // PubKey, if set, is used to validate SCTs against a custom
7095 // source.
7096 "pubkey"?: string
7097
7098 // TSACertChain, if set, is the PEM-encoded certificate chain file
7099 // for the RFC3161 timestamp authority. Must
7100 // contain the root CA certificate. Optionally may contain
7101 // intermediate CA certificates, and
7102 // may contain the leaf TSA certificate if not present in the
7103 // timestamurce.
7104 "tsaCertChain"?: string
7105 }
7106
7107 // KMS provides the URI to the public key stored in a Key
7108 // Management System. See:
7109 // https://github.com/sigstore/cosign/blob/main/KMS.md
7110 "kms"?: string
7111
7112 // Keys is a set of X.509 public keys used to verify image
7113 // signatures. The keys can be directly
7114 // specified or can be a variable reference to a key specified in
7115 // a ConfigMap (see
7116 // https://kyverno.io/docs/writing-policies/variables/), or
7117 // reference a standard Kubernetes Secret
7118 // elsewhere in the cluster by specifying it in the format
7119 // "k8s://<namespace>/<secret_name>".
7120 // The named Secret must specify a key `cosign.pub` containing the
7121 // public key used for
7122 // verification, (see
7123 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7124 // When multiple keys are specified each key is processed as a
7125 // separate staticKey entry
7126 // (.attestors[*].entries.keys) within the set of attestors and
7127 // the count is applied across the keys.
7128 "publicKeys"?: string
7129
7130 // Rekor provides configuration for the Rekor transparency log
7131 // service. If an empty object
7132 // is provided the public instance of Rekor
7133 // (https://rekor.sigstore.dev) is used.
7134 "rekor"?: {
7135 // IgnoreTlog skips transparency log verification.
7136 "ignoreTlog"?: bool
7137
7138 // RekorPubKey is an optional PEM-encoded public key to use for a
7139 // custom Rekor.
7140 // If set, this will be used to validate transparency log
7141 // signatures from a custom Rekor.
7142 "pubkey"?: string
7143
7144 // URL is the address of the transparency log. Defaults to the
7145 // public Rekor log instance https://rekor.sigstore.dev.
7146 "url"?: string
7147 }
7148
7149 // Reference to a Secret resource that contains a public key
7150 "secret"?: {
7151 // Name of the secret. The provided secret must contain a key
7152 // named cosign.pub.
7153 "name"!: string
7154
7155 // Namespace name where the Secret exists.
7156 "namespace"!: string
7157 }
7158
7159 // Deprecated. Use attestor.signatureAlgorithm instead.
7160 "signatureAlgorithm"?: string
7161 }
7162
7163 // Repository is an optional alternate OCI repository to use for
7164 // signatures and attestations that match this rule.
7165 // If specified Repository will override other OCI image
7166 // repository locations for this Attestor.
7167 "repository"?: string
7168
7169 // Specify signature algorithm for public keys. Supported values
7170 // are sha224, sha256, sha384 and sha512.
7171 "signatureAlgorithm"?: string
7172 }]
7173 }]
7174
7175 // DryRun configuration
7176 "dryRun"?: {
7177 "enable"?: bool
7178 "namespace"?: string
7179 }
7180
7181 // Fields which will be ignored while comparing manifests.
7182 "ignoreFields"?: [...{
7183 "fields"?: [...string]
7184 "objects"?: [...{
7185 "group"?: string
7186 "kind"?: string
7187 "name"?: string
7188 "namespace"?: string
7189 "version"?: string
7190 }]
7191 }]
7192
7193 // Repository is an optional alternate OCI repository to use for
7194 // resource bundle reference.
7195 // The repository can be overridden per Attestor or Attestation.
7196 "repository"?: string
7197 }
7198
7199 // Message specifies a custom message to be displayed on failure.
7200 "message"?: string
7201
7202 // Pattern specifies an overlay-style pattern used to check
7203 // resources.
7204 "pattern"?: null | bool | number | string | [...] | {
7205 ...
7206 }
7207
7208 // PodSecurity applies exemptions for Kubernetes Pod Security
7209 // admission
7210 // by specifying exclusions for Pod Security Standards controls.
7211 "podSecurity"?: {
7212 // Exclude specifies the Pod Security Standard controls to be
7213 // excluded.
7214 "exclude"?: [...{
7215 // ControlName specifies the name of the Pod Security Standard
7216 // control.
7217 // See:
7218 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
7219 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7220
7221 // Images selects matching containers and applies the container
7222 // level PSS.
7223 // Each image is the image name consisting of the registry
7224 // address, repository, image, and tag.
7225 // Empty list matches no containers, PSS checks are applied at the
7226 // pod level only.
7227 // Wildcards ('*' and '?') are allowed. See:
7228 // https://kubernetes.io/docs/concepts/containers/images.
7229 "images"?: [...string]
7230
7231 // RestrictedField selects the field for the given Pod Security
7232 // Standard control.
7233 // When not set, all restricted fields for the control are
7234 // selected.
7235 "restrictedField"?: string
7236
7237 // Values defines the allowed values that can be excluded.
7238 "values"?: [...string]
7239 }]
7240
7241 // Level defines the Pod Security Standard level to be applied to
7242 // workloads.
7243 // Allowed values are privileged, baseline, and restricted.
7244 "level"?: "privileged" | "baseline" | "restricted"
7245
7246 // Version defines the Pod Security Standard versions that
7247 // Kubernetes supports.
7248 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7249 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7250 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7251 }
7252 }
7253
7254 // VerifyImages is used to verify image signatures and mutate them
7255 // to add a digest
7256 "verifyImages"?: [...{
7257 // Deprecated.
7258 "additionalExtensions"?: [string]: string
7259
7260 // Deprecated. Use annotations per Attestor instead.
7261 "annotations"?: {
7262 [string]: string
7263 }
7264
7265 // Attestations are optional checks for signed in-toto Statements
7266 // used to verify the image.
7267 // See https://github.com/in-toto/attestation. Kyverno fetches
7268 // signed attestations from the
7269 // OCI registry and decodes them into a list of Statement
7270 // declarations.
7271 "attestations"?: [...{
7272 // Attestors specify the required attestors (i.e. authorities).
7273 "attestors"?: [...{
7274 // Count specifies the required number of entries that must match.
7275 // If the count is null, all entries must match
7276 // (a logical AND). If the count is 1, at least one entry must
7277 // match (a logical OR). If the count contains a
7278 // value N, then N must be less than or equal to the size of
7279 // entries, and at least N entries must match.
7280 "count"?: int & >=1
7281
7282 // Entries contains the available attestors. An attestor can be a
7283 // static key,
7284 // attributes for keyless verification, or a nested attestor
7285 // declaration.
7286 "entries"?: [...{
7287 // Annotations are used for image verification.
7288 // Every specified key-value pair must exist and match in the
7289 // verified payload.
7290 // The payload may contain other key-value pairs.
7291 "annotations"?: [string]: string
7292
7293 // Attestor is a nested set of Attestor used to specify a more
7294 // complex set of match authorities.
7295 "attestor"?: null | bool | number | string | [...] | {
7296 ...
7297 }
7298
7299 // Certificates specifies one or more certificates.
7300 "certificates"?: {
7301 // Cert is an optional PEM-encoded public certificate.
7302 "cert"?: string
7303
7304 // CertChain is an optional PEM encoded set of certificates used
7305 // to verify.
7306 "certChain"?: string
7307
7308 // CTLog (certificate timestamp log) provides a configuration for
7309 // validation of Signed Certificate
7310 // Timestamps (SCTs). If the value is unset, the default behavior
7311 // by Cosign is used.
7312 "ctlog"?: {
7313 // IgnoreSCT defines whether to use the Signed Certificate
7314 // Timestamp (SCT) log to check for a certificate
7315 // timestamp. Default is false. Set to true if this was opted out
7316 // during signing.
7317 "ignoreSCT"?: bool
7318
7319 // PubKey, if set, is used to validate SCTs against a custom
7320 // source.
7321 "pubkey"?: string
7322
7323 // TSACertChain, if set, is the PEM-encoded certificate chain file
7324 // for the RFC3161 timestamp authority. Must
7325 // contain the root CA certificate. Optionally may contain
7326 // intermediate CA certificates, and
7327 // may contain the leaf TSA certificate if not present in the
7328 // timestamurce.
7329 "tsaCertChain"?: string
7330 }
7331
7332 // Rekor provides configuration for the Rekor transparency log
7333 // service. If an empty object
7334 // is provided the public instance of Rekor
7335 // (https://rekor.sigstore.dev) is used.
7336 "rekor"?: {
7337 // IgnoreTlog skips transparency log verification.
7338 "ignoreTlog"?: bool
7339
7340 // RekorPubKey is an optional PEM-encoded public key to use for a
7341 // custom Rekor.
7342 // If set, this will be used to validate transparency log
7343 // signatures from a custom Rekor.
7344 "pubkey"?: string
7345
7346 // URL is the address of the transparency log. Defaults to the
7347 // public Rekor log instance https://rekor.sigstore.dev.
7348 "url"?: string
7349 }
7350 }
7351
7352 // Keyless is a set of attribute used to verify a Sigstore keyless
7353 // attestor.
7354 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7355 "keyless"?: {
7356 // AdditionalExtensions are certificate-extensions used for
7357 // keyless signing.
7358 "additionalExtensions"?: [string]: string
7359
7360 // CTLog (certificate timestamp log) provides a configuration for
7361 // validation of Signed Certificate
7362 // Timestamps (SCTs). If the value is unset, the default behavior
7363 // by Cosign is used.
7364 "ctlog"?: {
7365 // IgnoreSCT defines whether to use the Signed Certificate
7366 // Timestamp (SCT) log to check for a certificate
7367 // timestamp. Default is false. Set to true if this was opted out
7368 // during signing.
7369 "ignoreSCT"?: bool
7370
7371 // PubKey, if set, is used to validate SCTs against a custom
7372 // source.
7373 "pubkey"?: string
7374
7375 // TSACertChain, if set, is the PEM-encoded certificate chain file
7376 // for the RFC3161 timestamp authority. Must
7377 // contain the root CA certificate. Optionally may contain
7378 // intermediate CA certificates, and
7379 // may contain the leaf TSA certificate if not present in the
7380 // timestamurce.
7381 "tsaCertChain"?: string
7382 }
7383
7384 // Issuer is the certificate issuer used for keyless signing.
7385 "issuer"?: string
7386
7387 // IssuerRegExp is the regular expression to match certificate
7388 // issuer used for keyless signing.
7389 "issuerRegExp"?: string
7390
7391 // Rekor provides configuration for the Rekor transparency log
7392 // service. If an empty object
7393 // is provided the public instance of Rekor
7394 // (https://rekor.sigstore.dev) is used.
7395 "rekor"?: {
7396 // IgnoreTlog skips transparency log verification.
7397 "ignoreTlog"?: bool
7398
7399 // RekorPubKey is an optional PEM-encoded public key to use for a
7400 // custom Rekor.
7401 // If set, this will be used to validate transparency log
7402 // signatures from a custom Rekor.
7403 "pubkey"?: string
7404
7405 // URL is the address of the transparency log. Defaults to the
7406 // public Rekor log instance https://rekor.sigstore.dev.
7407 "url"?: string
7408 }
7409
7410 // Roots is an optional set of PEM encoded trusted root
7411 // certificates.
7412 // If not provided, the system roots are used.
7413 "roots"?: string
7414
7415 // Subject is the verified identity used for keyless signing, for
7416 // example the email address.
7417 "subject"?: string
7418
7419 // SubjectRegExp is the regular expression to match identity used
7420 // for keyless signing, for example the email address.
7421 "subjectRegExp"?: string
7422 }
7423
7424 // Keys specifies one or more public keys.
7425 "keys"?: {
7426 // CTLog (certificate timestamp log) provides a configuration for
7427 // validation of Signed Certificate
7428 // Timestamps (SCTs). If the value is unset, the default behavior
7429 // by Cosign is used.
7430 "ctlog"?: {
7431 // IgnoreSCT defines whether to use the Signed Certificate
7432 // Timestamp (SCT) log to check for a certificate
7433 // timestamp. Default is false. Set to true if this was opted out
7434 // during signing.
7435 "ignoreSCT"?: bool
7436
7437 // PubKey, if set, is used to validate SCTs against a custom
7438 // source.
7439 "pubkey"?: string
7440
7441 // TSACertChain, if set, is the PEM-encoded certificate chain file
7442 // for the RFC3161 timestamp authority. Must
7443 // contain the root CA certificate. Optionally may contain
7444 // intermediate CA certificates, and
7445 // may contain the leaf TSA certificate if not present in the
7446 // timestamurce.
7447 "tsaCertChain"?: string
7448 }
7449
7450 // KMS provides the URI to the public key stored in a Key
7451 // Management System. See:
7452 // https://github.com/sigstore/cosign/blob/main/KMS.md
7453 "kms"?: string
7454
7455 // Keys is a set of X.509 public keys used to verify image
7456 // signatures. The keys can be directly
7457 // specified or can be a variable reference to a key specified in
7458 // a ConfigMap (see
7459 // https://kyverno.io/docs/writing-policies/variables/), or
7460 // reference a standard Kubernetes Secret
7461 // elsewhere in the cluster by specifying it in the format
7462 // "k8s://<namespace>/<secret_name>".
7463 // The named Secret must specify a key `cosign.pub` containing the
7464 // public key used for
7465 // verification, (see
7466 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7467 // When multiple keys are specified each key is processed as a
7468 // separate staticKey entry
7469 // (.attestors[*].entries.keys) within the set of attestors and
7470 // the count is applied across the keys.
7471 "publicKeys"?: string
7472
7473 // Rekor provides configuration for the Rekor transparency log
7474 // service. If an empty object
7475 // is provided the public instance of Rekor
7476 // (https://rekor.sigstore.dev) is used.
7477 "rekor"?: {
7478 // IgnoreTlog skips transparency log verification.
7479 "ignoreTlog"?: bool
7480
7481 // RekorPubKey is an optional PEM-encoded public key to use for a
7482 // custom Rekor.
7483 // If set, this will be used to validate transparency log
7484 // signatures from a custom Rekor.
7485 "pubkey"?: string
7486
7487 // URL is the address of the transparency log. Defaults to the
7488 // public Rekor log instance https://rekor.sigstore.dev.
7489 "url"?: string
7490 }
7491
7492 // Reference to a Secret resource that contains a public key
7493 "secret"?: {
7494 // Name of the secret. The provided secret must contain a key
7495 // named cosign.pub.
7496 "name"!: string
7497
7498 // Namespace name where the Secret exists.
7499 "namespace"!: string
7500 }
7501
7502 // Deprecated. Use attestor.signatureAlgorithm instead.
7503 "signatureAlgorithm"?: string
7504 }
7505
7506 // Repository is an optional alternate OCI repository to use for
7507 // signatures and attestations that match this rule.
7508 // If specified Repository will override other OCI image
7509 // repository locations for this Attestor.
7510 "repository"?: string
7511
7512 // Specify signature algorithm for public keys. Supported values
7513 // are sha224, sha256, sha384 and sha512.
7514 "signatureAlgorithm"?: string
7515 }]
7516 }]
7517
7518 // Conditions are used to verify attributes within a Predicate. If
7519 // no Conditions are specified
7520 // the attestation check is satisfied as long there are predicates
7521 // that match the predicate type.
7522 "conditions"?: [...{
7523 // AllConditions enable variable-based conditional rule execution.
7524 // This is useful for
7525 // finer control of when an rule is applied. A condition can
7526 // reference object data
7527 // using JMESPath notation.
7528 // Here, all of the conditions need to pass
7529 "all"?: [...{
7530 // Key is the context entry (using JMESPath) for conditional rule
7531 // evaluation.
7532 "key"?: null | bool | number | string | [...] | {
7533 ...
7534 }
7535
7536 // Message is an optional display message
7537 "message"?: string
7538
7539 // Operator is the conditional operation to perform. Valid
7540 // operators are:
7541 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7542 // GreaterThanOrEquals,
7543 // GreaterThan, LessThanOrEquals, LessThan,
7544 // DurationGreaterThanOrEquals, DurationGreaterThan,
7545 // DurationLessThanOrEquals, DurationLessThan
7546 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7547
7548 // Value is the conditional value, or set of values. The values
7549 // can be fixed set
7550 // or can be variables declared using JMESPath.
7551 "value"?: null | bool | number | string | [...] | {
7552 ...
7553 }
7554 }]
7555
7556 // AnyConditions enable variable-based conditional rule execution.
7557 // This is useful for
7558 // finer control of when an rule is applied. A condition can
7559 // reference object data
7560 // using JMESPath notation.
7561 // Here, at least one of the conditions need to pass
7562 "any"?: [...{
7563 // Key is the context entry (using JMESPath) for conditional rule
7564 // evaluation.
7565 "key"?: null | bool | number | string | [...] | {
7566 ...
7567 }
7568
7569 // Message is an optional display message
7570 "message"?: string
7571
7572 // Operator is the conditional operation to perform. Valid
7573 // operators are:
7574 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7575 // GreaterThanOrEquals,
7576 // GreaterThan, LessThanOrEquals, LessThan,
7577 // DurationGreaterThanOrEquals, DurationGreaterThan,
7578 // DurationLessThanOrEquals, DurationLessThan
7579 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7580
7581 // Value is the conditional value, or set of values. The values
7582 // can be fixed set
7583 // or can be variables declared using JMESPath.
7584 "value"?: null | bool | number | string | [...] | {
7585 ...
7586 }
7587 }]
7588 }]
7589
7590 // Name is the variable name.
7591 "name"?: string
7592
7593 // Deprecated in favour of 'Type', to be removed soon
7594 "predicateType"?: string
7595
7596 // Type defines the type of attestation contained within the
7597 // Statement.
7598 "type"?: string
7599 }]
7600
7601 // Attestors specified the required attestors (i.e. authorities)
7602 "attestors"?: [...{
7603 // Count specifies the required number of entries that must match.
7604 // If the count is null, all entries must match
7605 // (a logical AND). If the count is 1, at least one entry must
7606 // match (a logical OR). If the count contains a
7607 // value N, then N must be less than or equal to the size of
7608 // entries, and at least N entries must match.
7609 "count"?: int & >=1
7610
7611 // Entries contains the available attestors. An attestor can be a
7612 // static key,
7613 // attributes for keyless verification, or a nested attestor
7614 // declaration.
7615 "entries"?: [...{
7616 // Annotations are used for image verification.
7617 // Every specified key-value pair must exist and match in the
7618 // verified payload.
7619 // The payload may contain other key-value pairs.
7620 "annotations"?: [string]: string
7621
7622 // Attestor is a nested set of Attestor used to specify a more
7623 // complex set of match authorities.
7624 "attestor"?: null | bool | number | string | [...] | {
7625 ...
7626 }
7627
7628 // Certificates specifies one or more certificates.
7629 "certificates"?: {
7630 // Cert is an optional PEM-encoded public certificate.
7631 "cert"?: string
7632
7633 // CertChain is an optional PEM encoded set of certificates used
7634 // to verify.
7635 "certChain"?: string
7636
7637 // CTLog (certificate timestamp log) provides a configuration for
7638 // validation of Signed Certificate
7639 // Timestamps (SCTs). If the value is unset, the default behavior
7640 // by Cosign is used.
7641 "ctlog"?: {
7642 // IgnoreSCT defines whether to use the Signed Certificate
7643 // Timestamp (SCT) log to check for a certificate
7644 // timestamp. Default is false. Set to true if this was opted out
7645 // during signing.
7646 "ignoreSCT"?: bool
7647
7648 // PubKey, if set, is used to validate SCTs against a custom
7649 // source.
7650 "pubkey"?: string
7651
7652 // TSACertChain, if set, is the PEM-encoded certificate chain file
7653 // for the RFC3161 timestamp authority. Must
7654 // contain the root CA certificate. Optionally may contain
7655 // intermediate CA certificates, and
7656 // may contain the leaf TSA certificate if not present in the
7657 // timestamurce.
7658 "tsaCertChain"?: string
7659 }
7660
7661 // Rekor provides configuration for the Rekor transparency log
7662 // service. If an empty object
7663 // is provided the public instance of Rekor
7664 // (https://rekor.sigstore.dev) is used.
7665 "rekor"?: {
7666 // IgnoreTlog skips transparency log verification.
7667 "ignoreTlog"?: bool
7668
7669 // RekorPubKey is an optional PEM-encoded public key to use for a
7670 // custom Rekor.
7671 // If set, this will be used to validate transparency log
7672 // signatures from a custom Rekor.
7673 "pubkey"?: string
7674
7675 // URL is the address of the transparency log. Defaults to the
7676 // public Rekor log instance https://rekor.sigstore.dev.
7677 "url"?: string
7678 }
7679 }
7680
7681 // Keyless is a set of attribute used to verify a Sigstore keyless
7682 // attestor.
7683 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7684 "keyless"?: {
7685 // AdditionalExtensions are certificate-extensions used for
7686 // keyless signing.
7687 "additionalExtensions"?: [string]: string
7688
7689 // CTLog (certificate timestamp log) provides a configuration for
7690 // validation of Signed Certificate
7691 // Timestamps (SCTs). If the value is unset, the default behavior
7692 // by Cosign is used.
7693 "ctlog"?: {
7694 // IgnoreSCT defines whether to use the Signed Certificate
7695 // Timestamp (SCT) log to check for a certificate
7696 // timestamp. Default is false. Set to true if this was opted out
7697 // during signing.
7698 "ignoreSCT"?: bool
7699
7700 // PubKey, if set, is used to validate SCTs against a custom
7701 // source.
7702 "pubkey"?: string
7703
7704 // TSACertChain, if set, is the PEM-encoded certificate chain file
7705 // for the RFC3161 timestamp authority. Must
7706 // contain the root CA certificate. Optionally may contain
7707 // intermediate CA certificates, and
7708 // may contain the leaf TSA certificate if not present in the
7709 // timestamurce.
7710 "tsaCertChain"?: string
7711 }
7712
7713 // Issuer is the certificate issuer used for keyless signing.
7714 "issuer"?: string
7715
7716 // IssuerRegExp is the regular expression to match certificate
7717 // issuer used for keyless signing.
7718 "issuerRegExp"?: string
7719
7720 // Rekor provides configuration for the Rekor transparency log
7721 // service. If an empty object
7722 // is provided the public instance of Rekor
7723 // (https://rekor.sigstore.dev) is used.
7724 "rekor"?: {
7725 // IgnoreTlog skips transparency log verification.
7726 "ignoreTlog"?: bool
7727
7728 // RekorPubKey is an optional PEM-encoded public key to use for a
7729 // custom Rekor.
7730 // If set, this will be used to validate transparency log
7731 // signatures from a custom Rekor.
7732 "pubkey"?: string
7733
7734 // URL is the address of the transparency log. Defaults to the
7735 // public Rekor log instance https://rekor.sigstore.dev.
7736 "url"?: string
7737 }
7738
7739 // Roots is an optional set of PEM encoded trusted root
7740 // certificates.
7741 // If not provided, the system roots are used.
7742 "roots"?: string
7743
7744 // Subject is the verified identity used for keyless signing, for
7745 // example the email address.
7746 "subject"?: string
7747
7748 // SubjectRegExp is the regular expression to match identity used
7749 // for keyless signing, for example the email address.
7750 "subjectRegExp"?: string
7751 }
7752
7753 // Keys specifies one or more public keys.
7754 "keys"?: {
7755 // CTLog (certificate timestamp log) provides a configuration for
7756 // validation of Signed Certificate
7757 // Timestamps (SCTs). If the value is unset, the default behavior
7758 // by Cosign is used.
7759 "ctlog"?: {
7760 // IgnoreSCT defines whether to use the Signed Certificate
7761 // Timestamp (SCT) log to check for a certificate
7762 // timestamp. Default is false. Set to true if this was opted out
7763 // during signing.
7764 "ignoreSCT"?: bool
7765
7766 // PubKey, if set, is used to validate SCTs against a custom
7767 // source.
7768 "pubkey"?: string
7769
7770 // TSACertChain, if set, is the PEM-encoded certificate chain file
7771 // for the RFC3161 timestamp authority. Must
7772 // contain the root CA certificate. Optionally may contain
7773 // intermediate CA certificates, and
7774 // may contain the leaf TSA certificate if not present in the
7775 // timestamurce.
7776 "tsaCertChain"?: string
7777 }
7778
7779 // KMS provides the URI to the public key stored in a Key
7780 // Management System. See:
7781 // https://github.com/sigstore/cosign/blob/main/KMS.md
7782 "kms"?: string
7783
7784 // Keys is a set of X.509 public keys used to verify image
7785 // signatures. The keys can be directly
7786 // specified or can be a variable reference to a key specified in
7787 // a ConfigMap (see
7788 // https://kyverno.io/docs/writing-policies/variables/), or
7789 // reference a standard Kubernetes Secret
7790 // elsewhere in the cluster by specifying it in the format
7791 // "k8s://<namespace>/<secret_name>".
7792 // The named Secret must specify a key `cosign.pub` containing the
7793 // public key used for
7794 // verification, (see
7795 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7796 // When multiple keys are specified each key is processed as a
7797 // separate staticKey entry
7798 // (.attestors[*].entries.keys) within the set of attestors and
7799 // the count is applied across the keys.
7800 "publicKeys"?: string
7801
7802 // Rekor provides configuration for the Rekor transparency log
7803 // service. If an empty object
7804 // is provided the public instance of Rekor
7805 // (https://rekor.sigstore.dev) is used.
7806 "rekor"?: {
7807 // IgnoreTlog skips transparency log verification.
7808 "ignoreTlog"?: bool
7809
7810 // RekorPubKey is an optional PEM-encoded public key to use for a
7811 // custom Rekor.
7812 // If set, this will be used to validate transparency log
7813 // signatures from a custom Rekor.
7814 "pubkey"?: string
7815
7816 // URL is the address of the transparency log. Defaults to the
7817 // public Rekor log instance https://rekor.sigstore.dev.
7818 "url"?: string
7819 }
7820
7821 // Reference to a Secret resource that contains a public key
7822 "secret"?: {
7823 // Name of the secret. The provided secret must contain a key
7824 // named cosign.pub.
7825 "name"!: string
7826
7827 // Namespace name where the Secret exists.
7828 "namespace"!: string
7829 }
7830
7831 // Deprecated. Use attestor.signatureAlgorithm instead.
7832 "signatureAlgorithm"?: string
7833 }
7834
7835 // Repository is an optional alternate OCI repository to use for
7836 // signatures and attestations that match this rule.
7837 // If specified Repository will override other OCI image
7838 // repository locations for this Attestor.
7839 "repository"?: string
7840
7841 // Specify signature algorithm for public keys. Supported values
7842 // are sha224, sha256, sha384 and sha512.
7843 "signatureAlgorithm"?: string
7844 }]
7845 }]
7846
7847 // CosignOCI11 enables the experimental OCI 1.1 behaviour in
7848 // cosign image verification.
7849 // Defaults to false.
7850 "cosignOCI11"?: bool
7851
7852 // Allowed values are Audit or Enforce.
7853 "failureAction"?: "Audit" | "Enforce"
7854
7855 // Deprecated. Use ImageReferences instead.
7856 "image"?: string
7857
7858 // ImageReferences is a list of matching image reference patterns.
7859 // At least one pattern in the
7860 // list must match the image for the rule to apply. Each image
7861 // reference consists of a registry
7862 // address (defaults to docker.io), repository, image, and tag
7863 // (defaults to latest).
7864 // Wildcards ('*' and '?') are allowed. See:
7865 // https://kubernetes.io/docs/concepts/containers/images.
7866 "imageReferences"?: [...string]
7867
7868 // ImageRegistryCredentials provides credentials that will be used
7869 // for authentication with registry.
7870 "imageRegistryCredentials"?: {
7871 // AllowInsecureRegistry allows insecure access to a registry.
7872 "allowInsecureRegistry"?: bool
7873
7874 // Providers specifies a list of OCI Registry names, whose
7875 // authentication providers are provided.
7876 // It can be of one of these values:
7877 // default,google,azure,amazon,github.
7878 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
7879
7880 // Secrets specifies a list of secrets that are provided for
7881 // credentials.
7882 // Secrets must live in the Kyverno namespace.
7883 "secrets"?: [...string]
7884 }
7885
7886 // Deprecated. Use KeylessAttestor instead.
7887 "issuer"?: string
7888
7889 // Deprecated. Use StaticKeyAttestor instead.
7890 "key"?: string
7891
7892 // MutateDigest enables replacement of image tags with digests.
7893 // Defaults to true.
7894 "mutateDigest"?: bool
7895
7896 // Repository is an optional alternate OCI repository to use for
7897 // image signatures and attestations that match this rule.
7898 // If specified Repository will override the default OCI image
7899 // repository configured for the installation.
7900 // The repository can also be overridden per Attestor or
7901 // Attestation.
7902 "repository"?: string
7903
7904 // Required validates that images are verified i.e. have matched
7905 // passed a signature or attestation check.
7906 "required"?: bool
7907
7908 // Deprecated. Use KeylessAttestor instead.
7909 "roots"?: string
7910
7911 // SkipImageReferences is a list of matching image reference
7912 // patterns that should be skipped.
7913 // At least one pattern in the list must match the image for the
7914 // rule to be skipped. Each image reference
7915 // consists of a registry address (defaults to docker.io),
7916 // repository, image, and tag (defaults to latest).
7917 // Wildcards ('*' and '?') are allowed. See:
7918 // https://kubernetes.io/docs/concepts/containers/images.
7919 "skipImageReferences"?: [...string]
7920
7921 // Deprecated. Use KeylessAttestor instead.
7922 "subject"?: string
7923
7924 // Type specifies the method of signature validation. The allowed
7925 // options
7926 // are Cosign, Sigstore Bundle and Notary. By default Cosign is
7927 // used if a type is not specified.
7928 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
7929
7930 // UseCache enables caching of image verify responses for this
7931 // rule.
7932 "useCache"?: bool
7933
7934 // Validation checks conditions across multiple image
7935 // verification attestations or context entries
7936 "validate"?: {
7937 // Deny defines conditions used to pass or fail a validation rule.
7938 "deny"?: {
7939 // Multiple conditions can be declared under an `any` or `all`
7940 // statement. A direct list
7941 // of conditions (without `any` or `all` statements) is also
7942 // supported for backwards compatibility
7943 // but will be deprecated in the next major release.
7944 // See:
7945 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
7946 "conditions"?: null | bool | number | string | [...] | {
7947 ...
7948 }
7949 }
7950
7951 // Message specifies a custom message to be displayed on failure.
7952 "message"?: string
7953 }
7954
7955 // VerifyDigest validates that images have a digest.
7956 "verifyDigest"?: bool
7957 }]
7958 }]
7959 }
7960 "conditions"?: [...{
7961 // lastTransitionTime is the last time the condition transitioned
7962 // from one status to another.
7963 // This should be when the underlying condition changed. If that
7964 // is not known, then using the time when the API field changed
7965 // is acceptable.
7966 "lastTransitionTime"!: time.Time
7967
7968 // message is a human readable message indicating details about
7969 // the transition.
7970 // This may be an empty string.
7971 "message"!: strings.MaxRunes(
7972 32768)
7973
7974 // observedGeneration represents the .metadata.generation that the
7975 // condition was set based upon.
7976 // For instance, if .metadata.generation is currently 12, but the
7977 // .status.conditions[x].observedGeneration is 9, the condition
7978 // is out of date
7979 // with respect to the current state of the instance.
7980 "observedGeneration"?: int64 & int & >=0
7981
7982 // reason contains a programmatic identifier indicating the reason
7983 // for the condition's last transition.
7984 // Producers of specific condition types may define expected
7985 // values and meanings for this field,
7986 // and whether the values are considered a guaranteed API.
7987 // The value should be a CamelCase string.
7988 // This field may not be empty.
7989 "reason"!: strings.MaxRunes(
7990 1024) & strings.MinRunes(
7991 1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
7992
7993 // status of the condition, one of True, False, Unknown.
7994 "status"!: "True" | "False" | "Unknown"
7995
7996 // type of condition in CamelCase or in foo.example.com/CamelCase.
7997 "type"!: strings.MaxRunes(
7998 316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
7999 }]
8000
8001 // Deprecated in favor of Conditions
8002 "ready"?: bool
8003
8004 // RuleCountStatus contains four variables which describes counts
8005 // for
8006 // validate, generate, mutate and verify images rules
8007 "rulecount"?: {
8008 // Count for generate rules in policy
8009 "generate"!: int
8010
8011 // Count for mutate rules in policy
8012 "mutate"!: int
8013
8014 // Count for validate rules in policy
8015 "validate"!: int
8016
8017 // Count for verify image rules in policy
8018 "verifyimages"!: int
8019 }
8020
8021 // ValidatingAdmissionPolicy contains status information
8022 "validatingadmissionpolicy"?: {
8023 // Generated indicates whether a validating admission policy is
8024 // generated from the policy or not
8025 "generated"!: bool
8026
8027 // Message is a human readable message indicating details about
8028 // the generation of validating admission policy
8029 // It is an empty string when validating admission policy is
8030 // successfully generated.
8031 "message"!: string
8032 }
8033 }
8034
8035 _embeddedResource: {
8036 "apiVersion"!: string
8037 "kind"!: string
8038 "metadata"?: {
8039 ...
8040 }
8041 }
8042 apiVersion: "kyverno.io/v2beta1"
8043 kind: "ClusterPolicy"
8044 metadata!: {
8045 "name"!: string
8046 "namespace"?: string
8047 "labels"?: {
8048 [string]: string
8049 }
8050 "annotations"?: {
8051 [string]: string
8052 }
8053 ...
8054 }
8055}