1package v1
2
3import (
4 "strings"
5 "time"
6)
7
8// Policy declares validation, mutation, and generation behaviors
9// for matching resources.
10// See: https://kyverno.io/docs/writing-policies/ for more
11// information.
12#Policy: {
13 _embeddedResource
14
15 // APIVersion defines the versioned schema of this representation
16 // of an object.
17 // Servers should convert recognized schemas to the latest
18 // internal value, and
19 // may reject unrecognized values.
20 // More info:
21 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
22 "apiVersion"?: string
23
24 // Kind is a string value representing the REST resource this
25 // object represents.
26 // Servers may infer this from the endpoint the client submits
27 // requests to.
28 // Cannot be updated.
29 // In CamelCase.
30 // More info:
31 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
32 "kind"?: string
33 "metadata"?: {}
34
35 // Spec defines policy behaviors and contains one or more rules.
36 "spec"!: {
37 // Admission controls if rules are applied during admission.
38 // Optional. Default value is "true".
39 "admission"?: bool
40
41 // ApplyRules controls how rules in a policy are applied. Rule are
42 // processed in
43 // the order of declaration. When set to `One` processing stops
44 // after a rule has
45 // been applied i.e. the rule matches and results in a pass, fail,
46 // or error. When
47 // set to `All` all rules in the policy are processed. The default
48 // is `All`.
49 "applyRules"?: "All" | "One"
50
51 // Background controls if rules are applied to existing resources
52 // during a background scan.
53 // Optional. Default value is "true". The value must be set to
54 // "false" if the policy rule
55 // uses variables that are only available in the admission review
56 // request (e.g. user name).
57 "background"?: bool
58
59 // EmitWarning enables API response warnings for mutate policy
60 // rules or validate policy rules with validationFailureAction
61 // set to Audit.
62 // Enabling this option will extend admission request processing
63 // times. The default value is "false".
64 "emitWarning"?: bool
65
66 // Deprecated, use failurePolicy under the webhookConfiguration
67 // instead.
68 "failurePolicy"?: "Ignore" | "Fail"
69
70 // Deprecated, use generateExisting under the generate rule
71 // instead
72 "generateExisting"?: bool
73
74 // Deprecated, use generateExisting instead
75 "generateExistingOnPolicyUpdate"?: bool
76
77 // Deprecated, use mutateExistingOnPolicyUpdate under the mutate
78 // rule instead
79 "mutateExistingOnPolicyUpdate"?: bool
80
81 // Rules is a list of Rule instances. A Policy contains multiple
82 // rules and
83 // each rule can validate, mutate, or generate resources.
84 "rules"?: [...{
85 // CELPreconditions are used to determine if a policy rule should
86 // be applied by evaluating a
87 // set of CEL conditions. It can only be used with the
88 // validate.cel subrule
89 "celPreconditions"?: [...{
90 // Expression represents the expression which will be evaluated by
91 // CEL. Must evaluate to bool.
92 // CEL expressions have access to the contents of the
93 // AdmissionRequest and Authorizer, organized into CEL variables:
94 //
95 // 'object' - The object from the incoming request. The value is
96 // null for DELETE requests.
97 // 'oldObject' - The existing object. The value is null for CREATE
98 // requests.
99 // 'request' - Attributes of the admission
100 // request(/pkg/apis/admission/types.go#AdmissionRequest).
101 // 'authorizer' - A CEL Authorizer. May be used to perform
102 // authorization checks for the principal (user or service
103 // account) of the request.
104 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
105 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
106 // from the 'authorizer' and configured with the
107 // request resource.
108 // Documentation on CEL:
109 // https://kubernetes.io/docs/reference/using-api/cel/
110 //
111 // Required.
112 "expression"!: string
113
114 // Name is an identifier for this match condition, used for
115 // strategic merging of MatchConditions,
116 // as well as providing an identifier for logging purposes. A good
117 // name should be descriptive of
118 // the associated expression.
119 // Name must be a qualified name consisting of alphanumeric
120 // characters, '-', '_' or '.', and
121 // must start and end with an alphanumeric character (e.g.
122 // 'MyName', or 'my.name', or
123 // '123-abc', regex used for validation is
124 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
125 // optional DNS subdomain prefix and '/' (e.g.
126 // 'example.com/MyName')
127 //
128 // Required.
129 "name"!: string
130 }]
131
132 // Context defines variables and data sources that can be used
133 // during rule execution.
134 "context"?: [...matchN(1, [{
135 "configMap"!: _
136 }, {
137 "apiCall"!: _
138 }, {
139 "imageRegistry"!: _
140 }, {
141 "variable"!: _
142 }, {
143 "globalReference"!: _
144 }]) & {
145 // APICall is an HTTP request to the Kubernetes API server, or
146 // other JSON web service.
147 // The data returned is stored in the context with the name for
148 // the context entry.
149 "apiCall"?: {
150 // The data object specifies the POST data sent to the server.
151 // Only applicable when the method field is set to POST.
152 "data"?: [...{
153 // Key is a unique identifier for the data value
154 "key"!: string
155
156 // Value is the data value
157 "value"!: null | bool | number | string | [...] | {
158 ...
159 }
160 }]
161
162 // Default is an optional arbitrary JSON object that the context
163 // value is set to, if the apiCall returns error.
164 "default"?: null | bool | number | string | [...] | {
165 ...
166 }
167
168 // JMESPath is an optional JSON Match Expression that can be used
169 // to
170 // transform the JSON response returned from the server. For
171 // example
172 // a JMESPath of "items | length(@)" applied to the API server
173 // response
174 // for the URLPath "/apis/apps/v1/deployments" will return the
175 // total count
176 // of deployments across all namespaces.
177 "jmesPath"?: string
178
179 // Method is the HTTP request type (GET or POST). Defaults to GET.
180 "method"?: "GET" | "POST"
181
182 // Service is an API call to a JSON web service.
183 // This is used for non-Kubernetes API server calls.
184 // It's mutually exclusive with the URLPath field.
185 "service"?: {
186 // CABundle is a PEM encoded CA bundle which will be used to
187 // validate
188 // the server certificate.
189 "caBundle"?: string
190
191 // Headers is a list of optional HTTP headers to be included in
192 // the request.
193 "headers"?: [...{
194 // Key is the header key
195 "key"!: string
196
197 // Value is the header value
198 "value"!: string
199 }]
200
201 // URL is the JSON web service URL. A typical form is
202 // `https://{service}.{namespace}:{port}/{path}`.
203 "url"!: string
204 }
205
206 // URLPath is the URL path to be used in the HTTP GET or POST
207 // request to the
208 // Kubernetes API server (e.g. "/api/v1/namespaces" or
209 // "/apis/apps/v1/deployments").
210 // The format required is the same format used by the `kubectl get
211 // --raw` command.
212 // See
213 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
214 // for details.
215 // It's mutually exclusive with the Service field.
216 "urlPath"?: string
217 }
218
219 // ConfigMap is the ConfigMap reference.
220 "configMap"?: {
221 // Name is the ConfigMap name.
222 "name"!: string
223
224 // Namespace is the ConfigMap namespace.
225 "namespace"?: string
226 }
227
228 // GlobalContextEntryReference is a reference to a cached global
229 // context entry.
230 "globalReference"?: {
231 // JMESPath is an optional JSON Match Expression that can be used
232 // to
233 // transform the JSON response returned from the server. For
234 // example
235 // a JMESPath of "items | length(@)" applied to the API server
236 // response
237 // for the URLPath "/apis/apps/v1/deployments" will return the
238 // total count
239 // of deployments across all namespaces.
240 "jmesPath"?: string
241
242 // Name of the global context entry
243 "name"!: string
244 }
245
246 // ImageRegistry defines requests to an OCI/Docker V2 registry to
247 // fetch image
248 // details.
249 "imageRegistry"?: {
250 // ImageRegistryCredentials provides credentials that will be used
251 // for authentication with registry
252 "imageRegistryCredentials"?: {
253 // AllowInsecureRegistry allows insecure access to a registry.
254 "allowInsecureRegistry"?: bool
255
256 // Providers specifies a list of OCI Registry names, whose
257 // authentication providers are provided.
258 // It can be of one of these values:
259 // default,google,azure,amazon,github.
260 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
261
262 // Secrets specifies a list of secrets that are provided for
263 // credentials.
264 // Secrets must live in the Kyverno namespace.
265 "secrets"?: [...string]
266 }
267
268 // JMESPath is an optional JSON Match Expression that can be used
269 // to
270 // transform the ImageData struct returned as a result of
271 // processing
272 // the image reference.
273 "jmesPath"?: string
274
275 // Reference is image reference to a container image in the
276 // registry.
277 // Example: ghcr.io/kyverno/kyverno:latest
278 "reference"!: string
279 }
280
281 // Name is the variable name.
282 "name"!: string
283
284 // Variable defines an arbitrary JMESPath context variable that
285 // can be defined inline.
286 "variable"?: {
287 // Default is an optional arbitrary JSON object that the variable
288 // may take if the JMESPath
289 // expression evaluates to nil
290 "default"?: null | bool | number | string | [...] | {
291 ...
292 }
293
294 // JMESPath is an optional JMESPath Expression that can be used to
295 // transform the variable.
296 "jmesPath"?: string
297
298 // Value is any arbitrary JSON object representable in YAML or
299 // JSON form.
300 "value"?: null | bool | number | string | [...] | {
301 ...
302 }
303 }
304 }]
305
306 // ExcludeResources defines when this policy rule should not be
307 // applied. The exclude
308 // criteria can include resource information (e.g. kind, name,
309 // namespace, labels)
310 // and admission review request information like the name or role.
311 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
312 "any"!: _
313 "all"!: _
314 }]) & {
315 // All allows specifying resources which will be ANDed
316 "all"?: [...{
317 // ClusterRoles is the list of cluster-wide role names for the
318 // user.
319 "clusterRoles"?: [...string]
320
321 // ResourceDescription contains information about the resource
322 // being created or modified.
323 "resources"?: matchN(0, [null | bool | number | string | [...] | {
324 "name"!: _
325 "names"!: _
326 }]) & {
327 // Annotations is a map of annotations (key-value pairs of type
328 // string). Annotation keys
329 // and values support the wildcard characters "*" (matches zero or
330 // many characters) and
331 // "?" (matches at least one character).
332 "annotations"?: [string]: string
333
334 // Kinds is a list of resource kinds.
335 "kinds"?: [...string]
336
337 // Name is the name of the resource. The name supports wildcard
338 // characters
339 // "*" (matches zero or many characters) and "?" (at least one
340 // character).
341 // NOTE: "Name" is being deprecated in favor of "Names".
342 "name"?: string
343
344 // Names are the names of the resources. Each name supports
345 // wildcard characters
346 // "*" (matches zero or many characters) and "?" (at least one
347 // character).
348 "names"?: [...string]
349
350 // NamespaceSelector is a label selector for the resource
351 // namespace. Label keys and values
352 // in `matchLabels` support the wildcard characters `*` (matches
353 // zero or many characters)
354 // and `?` (matches one character).Wildcards allows writing label
355 // selectors like
356 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
357 // any key and value but
358 // does not match an empty label set.
359 "namespaceSelector"?: {
360 // matchExpressions is a list of label selector requirements. The
361 // requirements are ANDed.
362 "matchExpressions"?: [...{
363 // key is the label key that the selector applies to.
364 "key"!: string
365
366 // operator represents a key's relationship to a set of values.
367 // Valid operators are In, NotIn, Exists and DoesNotExist.
368 "operator"!: string
369
370 // values is an array of string values. If the operator is In or
371 // NotIn,
372 // the values array must be non-empty. If the operator is Exists
373 // or DoesNotExist,
374 // the values array must be empty. This array is replaced during a
375 // strategic
376 // merge patch.
377 "values"?: [...string]
378 }]
379
380 // matchLabels is a map of {key,value} pairs. A single {key,value}
381 // in the matchLabels
382 // map is equivalent to an element of matchExpressions, whose key
383 // field is "key", the
384 // operator is "In", and the values array contains only "value".
385 // The requirements are ANDed.
386 "matchLabels"?: {
387 [string]: string
388 }
389 }
390
391 // Namespaces is a list of namespaces names. Each name supports
392 // wildcard characters
393 // "*" (matches zero or many characters) and "?" (at least one
394 // character).
395 "namespaces"?: [...string]
396
397 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
398 // "DELETE"], which are used to match a specific action.
399 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
400
401 // Selector is a label selector. Label keys and values in
402 // `matchLabels` support the wildcard
403 // characters `*` (matches zero or many characters) and `?`
404 // (matches one character).
405 // Wildcards allows writing label selectors like
406 // ["storage.k8s.io/*": "*"]. Note that
407 // using ["*" : "*"] matches any key and value but does not match
408 // an empty label set.
409 "selector"?: {
410 // matchExpressions is a list of label selector requirements. The
411 // requirements are ANDed.
412 "matchExpressions"?: [...{
413 // key is the label key that the selector applies to.
414 "key"!: string
415
416 // operator represents a key's relationship to a set of values.
417 // Valid operators are In, NotIn, Exists and DoesNotExist.
418 "operator"!: string
419
420 // values is an array of string values. If the operator is In or
421 // NotIn,
422 // the values array must be non-empty. If the operator is Exists
423 // or DoesNotExist,
424 // the values array must be empty. This array is replaced during a
425 // strategic
426 // merge patch.
427 "values"?: [...string]
428 }]
429
430 // matchLabels is a map of {key,value} pairs. A single {key,value}
431 // in the matchLabels
432 // map is equivalent to an element of matchExpressions, whose key
433 // field is "key", the
434 // operator is "In", and the values array contains only "value".
435 // The requirements are ANDed.
436 "matchLabels"?: {
437 [string]: string
438 }
439 }
440 }
441
442 // Roles is the list of namespaced role names for the user.
443 "roles"?: [...string]
444
445 // Subjects is the list of subject names like users, user groups,
446 // and service accounts.
447 "subjects"?: [...{
448 // APIGroup holds the API group of the referenced subject.
449 // Defaults to "" for ServiceAccount subjects.
450 // Defaults to "rbac.authorization.k8s.io" for User and Group
451 // subjects.
452 "apiGroup"?: string
453
454 // Kind of object being referenced. Values defined by this API
455 // group are "User", "Group", and "ServiceAccount".
456 // If the Authorizer does not recognized the kind value, the
457 // Authorizer should report an error.
458 "kind"!: string
459
460 // Name of the object being referenced.
461 "name"!: string
462
463 // Namespace of the referenced object. If the object kind is
464 // non-namespace, such as "User" or "Group", and this value is
465 // not empty
466 // the Authorizer should report an error.
467 "namespace"?: string
468 }]
469 }]
470
471 // Any allows specifying resources which will be ORed
472 "any"?: [...{
473 // ClusterRoles is the list of cluster-wide role names for the
474 // user.
475 "clusterRoles"?: [...string]
476
477 // ResourceDescription contains information about the resource
478 // being created or modified.
479 "resources"?: matchN(0, [null | bool | number | string | [...] | {
480 "name"!: _
481 "names"!: _
482 }]) & {
483 // Annotations is a map of annotations (key-value pairs of type
484 // string). Annotation keys
485 // and values support the wildcard characters "*" (matches zero or
486 // many characters) and
487 // "?" (matches at least one character).
488 "annotations"?: [string]: string
489
490 // Kinds is a list of resource kinds.
491 "kinds"?: [...string]
492
493 // Name is the name of the resource. The name supports wildcard
494 // characters
495 // "*" (matches zero or many characters) and "?" (at least one
496 // character).
497 // NOTE: "Name" is being deprecated in favor of "Names".
498 "name"?: string
499
500 // Names are the names of the resources. Each name supports
501 // wildcard characters
502 // "*" (matches zero or many characters) and "?" (at least one
503 // character).
504 "names"?: [...string]
505
506 // NamespaceSelector is a label selector for the resource
507 // namespace. Label keys and values
508 // in `matchLabels` support the wildcard characters `*` (matches
509 // zero or many characters)
510 // and `?` (matches one character).Wildcards allows writing label
511 // selectors like
512 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
513 // any key and value but
514 // does not match an empty label set.
515 "namespaceSelector"?: {
516 // matchExpressions is a list of label selector requirements. The
517 // requirements are ANDed.
518 "matchExpressions"?: [...{
519 // key is the label key that the selector applies to.
520 "key"!: string
521
522 // operator represents a key's relationship to a set of values.
523 // Valid operators are In, NotIn, Exists and DoesNotExist.
524 "operator"!: string
525
526 // values is an array of string values. If the operator is In or
527 // NotIn,
528 // the values array must be non-empty. If the operator is Exists
529 // or DoesNotExist,
530 // the values array must be empty. This array is replaced during a
531 // strategic
532 // merge patch.
533 "values"?: [...string]
534 }]
535
536 // matchLabels is a map of {key,value} pairs. A single {key,value}
537 // in the matchLabels
538 // map is equivalent to an element of matchExpressions, whose key
539 // field is "key", the
540 // operator is "In", and the values array contains only "value".
541 // The requirements are ANDed.
542 "matchLabels"?: {
543 [string]: string
544 }
545 }
546
547 // Namespaces is a list of namespaces names. Each name supports
548 // wildcard characters
549 // "*" (matches zero or many characters) and "?" (at least one
550 // character).
551 "namespaces"?: [...string]
552
553 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
554 // "DELETE"], which are used to match a specific action.
555 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
556
557 // Selector is a label selector. Label keys and values in
558 // `matchLabels` support the wildcard
559 // characters `*` (matches zero or many characters) and `?`
560 // (matches one character).
561 // Wildcards allows writing label selectors like
562 // ["storage.k8s.io/*": "*"]. Note that
563 // using ["*" : "*"] matches any key and value but does not match
564 // an empty label set.
565 "selector"?: {
566 // matchExpressions is a list of label selector requirements. The
567 // requirements are ANDed.
568 "matchExpressions"?: [...{
569 // key is the label key that the selector applies to.
570 "key"!: string
571
572 // operator represents a key's relationship to a set of values.
573 // Valid operators are In, NotIn, Exists and DoesNotExist.
574 "operator"!: string
575
576 // values is an array of string values. If the operator is In or
577 // NotIn,
578 // the values array must be non-empty. If the operator is Exists
579 // or DoesNotExist,
580 // the values array must be empty. This array is replaced during a
581 // strategic
582 // merge patch.
583 "values"?: [...string]
584 }]
585
586 // matchLabels is a map of {key,value} pairs. A single {key,value}
587 // in the matchLabels
588 // map is equivalent to an element of matchExpressions, whose key
589 // field is "key", the
590 // operator is "In", and the values array contains only "value".
591 // The requirements are ANDed.
592 "matchLabels"?: {
593 [string]: string
594 }
595 }
596 }
597
598 // Roles is the list of namespaced role names for the user.
599 "roles"?: [...string]
600
601 // Subjects is the list of subject names like users, user groups,
602 // and service accounts.
603 "subjects"?: [...{
604 // APIGroup holds the API group of the referenced subject.
605 // Defaults to "" for ServiceAccount subjects.
606 // Defaults to "rbac.authorization.k8s.io" for User and Group
607 // subjects.
608 "apiGroup"?: string
609
610 // Kind of object being referenced. Values defined by this API
611 // group are "User", "Group", and "ServiceAccount".
612 // If the Authorizer does not recognized the kind value, the
613 // Authorizer should report an error.
614 "kind"!: string
615
616 // Name of the object being referenced.
617 "name"!: string
618
619 // Namespace of the referenced object. If the object kind is
620 // non-namespace, such as "User" or "Group", and this value is
621 // not empty
622 // the Authorizer should report an error.
623 "namespace"?: string
624 }]
625 }]
626
627 // ClusterRoles is the list of cluster-wide role names for the
628 // user.
629 "clusterRoles"?: [...string]
630
631 // ResourceDescription contains information about the resource
632 // being created or modified.
633 // Requires at least one tag to be specified when under
634 // MatchResources.
635 // Specifying ResourceDescription directly under match is being
636 // deprecated.
637 // Please specify under "any" or "all" instead.
638 "resources"?: matchN(0, [null | bool | number | string | [...] | {
639 "name"!: _
640 "names"!: _
641 }]) & {
642 // Annotations is a map of annotations (key-value pairs of type
643 // string). Annotation keys
644 // and values support the wildcard characters "*" (matches zero or
645 // many characters) and
646 // "?" (matches at least one character).
647 "annotations"?: [string]: string
648
649 // Kinds is a list of resource kinds.
650 "kinds"?: [...string]
651
652 // Name is the name of the resource. The name supports wildcard
653 // characters
654 // "*" (matches zero or many characters) and "?" (at least one
655 // character).
656 // NOTE: "Name" is being deprecated in favor of "Names".
657 "name"?: string
658
659 // Names are the names of the resources. Each name supports
660 // wildcard characters
661 // "*" (matches zero or many characters) and "?" (at least one
662 // character).
663 "names"?: [...string]
664
665 // NamespaceSelector is a label selector for the resource
666 // namespace. Label keys and values
667 // in `matchLabels` support the wildcard characters `*` (matches
668 // zero or many characters)
669 // and `?` (matches one character).Wildcards allows writing label
670 // selectors like
671 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
672 // any key and value but
673 // does not match an empty label set.
674 "namespaceSelector"?: {
675 // matchExpressions is a list of label selector requirements. The
676 // requirements are ANDed.
677 "matchExpressions"?: [...{
678 // key is the label key that the selector applies to.
679 "key"!: string
680
681 // operator represents a key's relationship to a set of values.
682 // Valid operators are In, NotIn, Exists and DoesNotExist.
683 "operator"!: string
684
685 // values is an array of string values. If the operator is In or
686 // NotIn,
687 // the values array must be non-empty. If the operator is Exists
688 // or DoesNotExist,
689 // the values array must be empty. This array is replaced during a
690 // strategic
691 // merge patch.
692 "values"?: [...string]
693 }]
694
695 // matchLabels is a map of {key,value} pairs. A single {key,value}
696 // in the matchLabels
697 // map is equivalent to an element of matchExpressions, whose key
698 // field is "key", the
699 // operator is "In", and the values array contains only "value".
700 // The requirements are ANDed.
701 "matchLabels"?: {
702 [string]: string
703 }
704 }
705
706 // Namespaces is a list of namespaces names. Each name supports
707 // wildcard characters
708 // "*" (matches zero or many characters) and "?" (at least one
709 // character).
710 "namespaces"?: [...string]
711
712 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
713 // "DELETE"], which are used to match a specific action.
714 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
715
716 // Selector is a label selector. Label keys and values in
717 // `matchLabels` support the wildcard
718 // characters `*` (matches zero or many characters) and `?`
719 // (matches one character).
720 // Wildcards allows writing label selectors like
721 // ["storage.k8s.io/*": "*"]. Note that
722 // using ["*" : "*"] matches any key and value but does not match
723 // an empty label set.
724 "selector"?: {
725 // matchExpressions is a list of label selector requirements. The
726 // requirements are ANDed.
727 "matchExpressions"?: [...{
728 // key is the label key that the selector applies to.
729 "key"!: string
730
731 // operator represents a key's relationship to a set of values.
732 // Valid operators are In, NotIn, Exists and DoesNotExist.
733 "operator"!: string
734
735 // values is an array of string values. If the operator is In or
736 // NotIn,
737 // the values array must be non-empty. If the operator is Exists
738 // or DoesNotExist,
739 // the values array must be empty. This array is replaced during a
740 // strategic
741 // merge patch.
742 "values"?: [...string]
743 }]
744
745 // matchLabels is a map of {key,value} pairs. A single {key,value}
746 // in the matchLabels
747 // map is equivalent to an element of matchExpressions, whose key
748 // field is "key", the
749 // operator is "In", and the values array contains only "value".
750 // The requirements are ANDed.
751 "matchLabels"?: {
752 [string]: string
753 }
754 }
755 }
756
757 // Roles is the list of namespaced role names for the user.
758 "roles"?: [...string]
759
760 // Subjects is the list of subject names like users, user groups,
761 // and service accounts.
762 "subjects"?: [...{
763 // APIGroup holds the API group of the referenced subject.
764 // Defaults to "" for ServiceAccount subjects.
765 // Defaults to "rbac.authorization.k8s.io" for User and Group
766 // subjects.
767 "apiGroup"?: string
768
769 // Kind of object being referenced. Values defined by this API
770 // group are "User", "Group", and "ServiceAccount".
771 // If the Authorizer does not recognized the kind value, the
772 // Authorizer should report an error.
773 "kind"!: string
774
775 // Name of the object being referenced.
776 "name"!: string
777
778 // Namespace of the referenced object. If the object kind is
779 // non-namespace, such as "User" or "Group", and this value is
780 // not empty
781 // the Authorizer should report an error.
782 "namespace"?: string
783 }]
784 }
785
786 // Generation is used to create new resources.
787 "generate"?: {
788 // APIVersion specifies resource apiVersion.
789 "apiVersion"?: string
790
791 // Clone specifies the source resource used to populate each
792 // generated resource.
793 // At most one of Data or Clone can be specified. If neither are
794 // provided, the generated
795 // resource will be created with default data only.
796 "clone"?: {
797 // Name specifies name of the resource.
798 "name"?: string
799
800 // Namespace specifies source resource namespace.
801 "namespace"?: string
802 }
803
804 // CloneList specifies the list of source resource used to
805 // populate each generated resource.
806 "cloneList"?: {
807 // Kinds is a list of resource kinds.
808 "kinds"?: [...string]
809
810 // Namespace specifies source resource namespace.
811 "namespace"?: string
812
813 // Selector is a label selector. Label keys and values in
814 // `matchLabels`.
815 // wildcard characters are not supported.
816 "selector"?: {
817 // matchExpressions is a list of label selector requirements. The
818 // requirements are ANDed.
819 "matchExpressions"?: [...{
820 // key is the label key that the selector applies to.
821 "key"!: string
822
823 // operator represents a key's relationship to a set of values.
824 // Valid operators are In, NotIn, Exists and DoesNotExist.
825 "operator"!: string
826
827 // values is an array of string values. If the operator is In or
828 // NotIn,
829 // the values array must be non-empty. If the operator is Exists
830 // or DoesNotExist,
831 // the values array must be empty. This array is replaced during a
832 // strategic
833 // merge patch.
834 "values"?: [...string]
835 }]
836
837 // matchLabels is a map of {key,value} pairs. A single {key,value}
838 // in the matchLabels
839 // map is equivalent to an element of matchExpressions, whose key
840 // field is "key", the
841 // operator is "In", and the values array contains only "value".
842 // The requirements are ANDed.
843 "matchLabels"?: {
844 [string]: string
845 }
846 }
847 }
848
849 // Data provides the resource declaration used to populate each
850 // generated resource.
851 // At most one of Data or Clone must be specified. If neither are
852 // provided, the generated
853 // resource will be created with default data only.
854 "data"?: null | bool | number | string | [...] | {
855 ...
856 }
857
858 // ForEach applies generate rules to a list of sub-elements by
859 // creating a context for each entry in the list and looping over
860 // it to apply the specified logic.
861 "foreach"?: [...{
862 // APIVersion specifies resource apiVersion.
863 "apiVersion"?: string
864
865 // Clone specifies the source resource used to populate each
866 // generated resource.
867 // At most one of Data or Clone can be specified. If neither are
868 // provided, the generated
869 // resource will be created with default data only.
870 "clone"?: {
871 // Name specifies name of the resource.
872 "name"?: string
873
874 // Namespace specifies source resource namespace.
875 "namespace"?: string
876 }
877
878 // CloneList specifies the list of source resource used to
879 // populate each generated resource.
880 "cloneList"?: {
881 // Kinds is a list of resource kinds.
882 "kinds"?: [...string]
883
884 // Namespace specifies source resource namespace.
885 "namespace"?: string
886
887 // Selector is a label selector. Label keys and values in
888 // `matchLabels`.
889 // wildcard characters are not supported.
890 "selector"?: {
891 // matchExpressions is a list of label selector requirements. The
892 // requirements are ANDed.
893 "matchExpressions"?: [...{
894 // key is the label key that the selector applies to.
895 "key"!: string
896
897 // operator represents a key's relationship to a set of values.
898 // Valid operators are In, NotIn, Exists and DoesNotExist.
899 "operator"!: string
900
901 // values is an array of string values. If the operator is In or
902 // NotIn,
903 // the values array must be non-empty. If the operator is Exists
904 // or DoesNotExist,
905 // the values array must be empty. This array is replaced during a
906 // strategic
907 // merge patch.
908 "values"?: [...string]
909 }]
910
911 // matchLabels is a map of {key,value} pairs. A single {key,value}
912 // in the matchLabels
913 // map is equivalent to an element of matchExpressions, whose key
914 // field is "key", the
915 // operator is "In", and the values array contains only "value".
916 // The requirements are ANDed.
917 "matchLabels"?: {
918 [string]: string
919 }
920 }
921 }
922
923 // Context defines variables and data sources that can be used
924 // during rule execution.
925 "context"?: [...matchN(1, [{
926 "configMap"!: _
927 }, {
928 "apiCall"!: _
929 }, {
930 "imageRegistry"!: _
931 }, {
932 "variable"!: _
933 }, {
934 "globalReference"!: _
935 }]) & {
936 // APICall is an HTTP request to the Kubernetes API server, or
937 // other JSON web service.
938 // The data returned is stored in the context with the name for
939 // the context entry.
940 "apiCall"?: {
941 // The data object specifies the POST data sent to the server.
942 // Only applicable when the method field is set to POST.
943 "data"?: [...{
944 // Key is a unique identifier for the data value
945 "key"!: string
946
947 // Value is the data value
948 "value"!: null | bool | number | string | [...] | {
949 ...
950 }
951 }]
952
953 // Default is an optional arbitrary JSON object that the context
954 // value is set to, if the apiCall returns error.
955 "default"?: null | bool | number | string | [...] | {
956 ...
957 }
958
959 // JMESPath is an optional JSON Match Expression that can be used
960 // to
961 // transform the JSON response returned from the server. For
962 // example
963 // a JMESPath of "items | length(@)" applied to the API server
964 // response
965 // for the URLPath "/apis/apps/v1/deployments" will return the
966 // total count
967 // of deployments across all namespaces.
968 "jmesPath"?: string
969
970 // Method is the HTTP request type (GET or POST). Defaults to GET.
971 "method"?: "GET" | "POST"
972
973 // Service is an API call to a JSON web service.
974 // This is used for non-Kubernetes API server calls.
975 // It's mutually exclusive with the URLPath field.
976 "service"?: {
977 // CABundle is a PEM encoded CA bundle which will be used to
978 // validate
979 // the server certificate.
980 "caBundle"?: string
981
982 // Headers is a list of optional HTTP headers to be included in
983 // the request.
984 "headers"?: [...{
985 // Key is the header key
986 "key"!: string
987
988 // Value is the header value
989 "value"!: string
990 }]
991
992 // URL is the JSON web service URL. A typical form is
993 // `https://{service}.{namespace}:{port}/{path}`.
994 "url"!: string
995 }
996
997 // URLPath is the URL path to be used in the HTTP GET or POST
998 // request to the
999 // Kubernetes API server (e.g. "/api/v1/namespaces" or
1000 // "/apis/apps/v1/deployments").
1001 // The format required is the same format used by the `kubectl get
1002 // --raw` command.
1003 // See
1004 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1005 // for details.
1006 // It's mutually exclusive with the Service field.
1007 "urlPath"?: string
1008 }
1009
1010 // ConfigMap is the ConfigMap reference.
1011 "configMap"?: {
1012 // Name is the ConfigMap name.
1013 "name"!: string
1014
1015 // Namespace is the ConfigMap namespace.
1016 "namespace"?: string
1017 }
1018
1019 // GlobalContextEntryReference is a reference to a cached global
1020 // context entry.
1021 "globalReference"?: {
1022 // JMESPath is an optional JSON Match Expression that can be used
1023 // to
1024 // transform the JSON response returned from the server. For
1025 // example
1026 // a JMESPath of "items | length(@)" applied to the API server
1027 // response
1028 // for the URLPath "/apis/apps/v1/deployments" will return the
1029 // total count
1030 // of deployments across all namespaces.
1031 "jmesPath"?: string
1032
1033 // Name of the global context entry
1034 "name"!: string
1035 }
1036
1037 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1038 // fetch image
1039 // details.
1040 "imageRegistry"?: {
1041 // ImageRegistryCredentials provides credentials that will be used
1042 // for authentication with registry
1043 "imageRegistryCredentials"?: {
1044 // AllowInsecureRegistry allows insecure access to a registry.
1045 "allowInsecureRegistry"?: bool
1046
1047 // Providers specifies a list of OCI Registry names, whose
1048 // authentication providers are provided.
1049 // It can be of one of these values:
1050 // default,google,azure,amazon,github.
1051 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1052
1053 // Secrets specifies a list of secrets that are provided for
1054 // credentials.
1055 // Secrets must live in the Kyverno namespace.
1056 "secrets"?: [...string]
1057 }
1058
1059 // JMESPath is an optional JSON Match Expression that can be used
1060 // to
1061 // transform the ImageData struct returned as a result of
1062 // processing
1063 // the image reference.
1064 "jmesPath"?: string
1065
1066 // Reference is image reference to a container image in the
1067 // registry.
1068 // Example: ghcr.io/kyverno/kyverno:latest
1069 "reference"!: string
1070 }
1071
1072 // Name is the variable name.
1073 "name"!: string
1074
1075 // Variable defines an arbitrary JMESPath context variable that
1076 // can be defined inline.
1077 "variable"?: {
1078 // Default is an optional arbitrary JSON object that the variable
1079 // may take if the JMESPath
1080 // expression evaluates to nil
1081 "default"?: null | bool | number | string | [...] | {
1082 ...
1083 }
1084
1085 // JMESPath is an optional JMESPath Expression that can be used to
1086 // transform the variable.
1087 "jmesPath"?: string
1088
1089 // Value is any arbitrary JSON object representable in YAML or
1090 // JSON form.
1091 "value"?: null | bool | number | string | [...] | {
1092 ...
1093 }
1094 }
1095 }]
1096
1097 // Data provides the resource declaration used to populate each
1098 // generated resource.
1099 // At most one of Data or Clone must be specified. If neither are
1100 // provided, the generated
1101 // resource will be created with default data only.
1102 "data"?: null | bool | number | string | [...] | {
1103 ...
1104 }
1105
1106 // Kind specifies resource kind.
1107 "kind"?: string
1108
1109 // List specifies a JMESPath expression that results in one or
1110 // more elements
1111 // to which the validation logic is applied.
1112 "list"?: string
1113
1114 // Name specifies the resource name.
1115 "name"?: string
1116
1117 // Namespace specifies resource namespace.
1118 "namespace"?: string
1119
1120 // AnyAllConditions are used to determine if a policy rule should
1121 // be applied by evaluating a
1122 // set of conditions. The declaration can contain nested `any` or
1123 // `all` statements.
1124 // See: https://kyverno.io/docs/writing-policies/preconditions/
1125 "preconditions"?: {
1126 // AllConditions enable variable-based conditional rule execution.
1127 // This is useful for
1128 // finer control of when an rule is applied. A condition can
1129 // reference object data
1130 // using JMESPath notation.
1131 // Here, all of the conditions need to pass
1132 "all"?: [...{
1133 // Key is the context entry (using JMESPath) for conditional rule
1134 // evaluation.
1135 "key"?: null | bool | number | string | [...] | {
1136 ...
1137 }
1138
1139 // Message is an optional display message
1140 "message"?: string
1141
1142 // Operator is the conditional operation to perform. Valid
1143 // operators are:
1144 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1145 // GreaterThanOrEquals,
1146 // GreaterThan, LessThanOrEquals, LessThan,
1147 // DurationGreaterThanOrEquals, DurationGreaterThan,
1148 // DurationLessThanOrEquals, DurationLessThan
1149 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1150
1151 // Value is the conditional value, or set of values. The values
1152 // can be fixed set
1153 // or can be variables declared using JMESPath.
1154 "value"?: null | bool | number | string | [...] | {
1155 ...
1156 }
1157 }]
1158
1159 // AnyConditions enable variable-based conditional rule execution.
1160 // This is useful for
1161 // finer control of when an rule is applied. A condition can
1162 // reference object data
1163 // using JMESPath notation.
1164 // Here, at least one of the conditions need to pass
1165 "any"?: [...{
1166 // Key is the context entry (using JMESPath) for conditional rule
1167 // evaluation.
1168 "key"?: null | bool | number | string | [...] | {
1169 ...
1170 }
1171
1172 // Message is an optional display message
1173 "message"?: string
1174
1175 // Operator is the conditional operation to perform. Valid
1176 // operators are:
1177 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1178 // GreaterThanOrEquals,
1179 // GreaterThan, LessThanOrEquals, LessThan,
1180 // DurationGreaterThanOrEquals, DurationGreaterThan,
1181 // DurationLessThanOrEquals, DurationLessThan
1182 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1183
1184 // Value is the conditional value, or set of values. The values
1185 // can be fixed set
1186 // or can be variables declared using JMESPath.
1187 "value"?: null | bool | number | string | [...] | {
1188 ...
1189 }
1190 }]
1191 ...
1192 }
1193
1194 // UID specifies the resource uid.
1195 "uid"?: string
1196 }]
1197
1198 // GenerateExisting controls whether to trigger the rule in
1199 // existing resources
1200 // If is set to "true" the rule will be triggered and applied to
1201 // existing matched resources.
1202 "generateExisting"?: bool
1203
1204 // Kind specifies resource kind.
1205 "kind"?: string
1206
1207 // Name specifies the resource name.
1208 "name"?: string
1209
1210 // Namespace specifies resource namespace.
1211 "namespace"?: string
1212
1213 // OrphanDownstreamOnPolicyDelete controls whether generated
1214 // resources should be deleted when the rule that generated
1215 // them is deleted with synchronization enabled. This option is
1216 // only applicable to generate rules of the data type.
1217 // See
1218 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
1219 // Defaults to "false" if not specified.
1220 "orphanDownstreamOnPolicyDelete"?: bool
1221
1222 // Synchronize controls if generated resources should be kept
1223 // in-sync with their source resource.
1224 // If Synchronize is set to "true" changes to generated resources
1225 // will be overwritten with resource
1226 // data from Data or the resource specified in the Clone
1227 // declaration.
1228 // Optional. Defaults to "false" if not specified.
1229 "synchronize"?: bool
1230
1231 // UID specifies the resource uid.
1232 "uid"?: string
1233 }
1234
1235 // ImageExtractors defines a mapping from kinds to
1236 // ImageExtractorConfigs.
1237 // This config is only valid for verifyImages rules.
1238 "imageExtractors"?: {
1239 [string]: [...{
1240 // JMESPath is an optional JMESPath expression to apply to the
1241 // image value.
1242 // This is useful when the extracted image begins with a prefix
1243 // like 'docker://'.
1244 // The 'trim_prefix' function may be used to trim the prefix:
1245 // trim_prefix(@, 'docker://').
1246 // Note - Image digest mutation may not be used when applying a
1247 // JMESPAth to an image.
1248 "jmesPath"?: string
1249
1250 // Key is an optional name of the field within 'path' that will be
1251 // used to uniquely identify an image.
1252 // Note - this field MUST be unique.
1253 "key"?: string
1254
1255 // Name is the entry the image will be available under
1256 // 'images.<name>' in the context.
1257 // If this field is not defined, image entries will appear under
1258 // 'images.custom'.
1259 "name"?: string
1260
1261 // Path is the path to the object containing the image field in a
1262 // custom resource.
1263 // It should be slash-separated. Each slash-separated key must be
1264 // a valid YAML key or a wildcard '*'.
1265 // Wildcard keys are expanded in case of arrays or objects.
1266 "path"!: string
1267
1268 // Value is an optional name of the field within 'path' that
1269 // points to the image URI.
1270 // This is useful when a custom 'key' is also defined.
1271 "value"?: string
1272 }]
1273 }
1274
1275 // MatchResources defines when this policy rule should be applied.
1276 // The match
1277 // criteria can include resource information (e.g. kind, name,
1278 // namespace, labels)
1279 // and admission review request information like the user name or
1280 // role.
1281 // At least one kind is required.
1282 "match"!: matchN(0, [null | bool | number | string | [...] | {
1283 "any"!: _
1284 "all"!: _
1285 }]) & {
1286 // All allows specifying resources which will be ANDed
1287 "all"?: [...{
1288 // ClusterRoles is the list of cluster-wide role names for the
1289 // user.
1290 "clusterRoles"?: [...string]
1291
1292 // ResourceDescription contains information about the resource
1293 // being created or modified.
1294 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1295 "name"!: _
1296 "names"!: _
1297 }]) & {
1298 // Annotations is a map of annotations (key-value pairs of type
1299 // string). Annotation keys
1300 // and values support the wildcard characters "*" (matches zero or
1301 // many characters) and
1302 // "?" (matches at least one character).
1303 "annotations"?: [string]: string
1304
1305 // Kinds is a list of resource kinds.
1306 "kinds"?: [...string]
1307
1308 // Name is the name of the resource. The name supports wildcard
1309 // characters
1310 // "*" (matches zero or many characters) and "?" (at least one
1311 // character).
1312 // NOTE: "Name" is being deprecated in favor of "Names".
1313 "name"?: string
1314
1315 // Names are the names of the resources. Each name supports
1316 // wildcard characters
1317 // "*" (matches zero or many characters) and "?" (at least one
1318 // character).
1319 "names"?: [...string]
1320
1321 // NamespaceSelector is a label selector for the resource
1322 // namespace. Label keys and values
1323 // in `matchLabels` support the wildcard characters `*` (matches
1324 // zero or many characters)
1325 // and `?` (matches one character).Wildcards allows writing label
1326 // selectors like
1327 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1328 // any key and value but
1329 // does not match an empty label set.
1330 "namespaceSelector"?: {
1331 // matchExpressions is a list of label selector requirements. The
1332 // requirements are ANDed.
1333 "matchExpressions"?: [...{
1334 // key is the label key that the selector applies to.
1335 "key"!: string
1336
1337 // operator represents a key's relationship to a set of values.
1338 // Valid operators are In, NotIn, Exists and DoesNotExist.
1339 "operator"!: string
1340
1341 // values is an array of string values. If the operator is In or
1342 // NotIn,
1343 // the values array must be non-empty. If the operator is Exists
1344 // or DoesNotExist,
1345 // the values array must be empty. This array is replaced during a
1346 // strategic
1347 // merge patch.
1348 "values"?: [...string]
1349 }]
1350
1351 // matchLabels is a map of {key,value} pairs. A single {key,value}
1352 // in the matchLabels
1353 // map is equivalent to an element of matchExpressions, whose key
1354 // field is "key", the
1355 // operator is "In", and the values array contains only "value".
1356 // The requirements are ANDed.
1357 "matchLabels"?: {
1358 [string]: string
1359 }
1360 }
1361
1362 // Namespaces is a list of namespaces names. Each name supports
1363 // wildcard characters
1364 // "*" (matches zero or many characters) and "?" (at least one
1365 // character).
1366 "namespaces"?: [...string]
1367
1368 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1369 // "DELETE"], which are used to match a specific action.
1370 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1371
1372 // Selector is a label selector. Label keys and values in
1373 // `matchLabels` support the wildcard
1374 // characters `*` (matches zero or many characters) and `?`
1375 // (matches one character).
1376 // Wildcards allows writing label selectors like
1377 // ["storage.k8s.io/*": "*"]. Note that
1378 // using ["*" : "*"] matches any key and value but does not match
1379 // an empty label set.
1380 "selector"?: {
1381 // matchExpressions is a list of label selector requirements. The
1382 // requirements are ANDed.
1383 "matchExpressions"?: [...{
1384 // key is the label key that the selector applies to.
1385 "key"!: string
1386
1387 // operator represents a key's relationship to a set of values.
1388 // Valid operators are In, NotIn, Exists and DoesNotExist.
1389 "operator"!: string
1390
1391 // values is an array of string values. If the operator is In or
1392 // NotIn,
1393 // the values array must be non-empty. If the operator is Exists
1394 // or DoesNotExist,
1395 // the values array must be empty. This array is replaced during a
1396 // strategic
1397 // merge patch.
1398 "values"?: [...string]
1399 }]
1400
1401 // matchLabels is a map of {key,value} pairs. A single {key,value}
1402 // in the matchLabels
1403 // map is equivalent to an element of matchExpressions, whose key
1404 // field is "key", the
1405 // operator is "In", and the values array contains only "value".
1406 // The requirements are ANDed.
1407 "matchLabels"?: {
1408 [string]: string
1409 }
1410 }
1411 }
1412
1413 // Roles is the list of namespaced role names for the user.
1414 "roles"?: [...string]
1415
1416 // Subjects is the list of subject names like users, user groups,
1417 // and service accounts.
1418 "subjects"?: [...{
1419 // APIGroup holds the API group of the referenced subject.
1420 // Defaults to "" for ServiceAccount subjects.
1421 // Defaults to "rbac.authorization.k8s.io" for User and Group
1422 // subjects.
1423 "apiGroup"?: string
1424
1425 // Kind of object being referenced. Values defined by this API
1426 // group are "User", "Group", and "ServiceAccount".
1427 // If the Authorizer does not recognized the kind value, the
1428 // Authorizer should report an error.
1429 "kind"!: string
1430
1431 // Name of the object being referenced.
1432 "name"!: string
1433
1434 // Namespace of the referenced object. If the object kind is
1435 // non-namespace, such as "User" or "Group", and this value is
1436 // not empty
1437 // the Authorizer should report an error.
1438 "namespace"?: string
1439 }]
1440 }]
1441
1442 // Any allows specifying resources which will be ORed
1443 "any"?: [...{
1444 // ClusterRoles is the list of cluster-wide role names for the
1445 // user.
1446 "clusterRoles"?: [...string]
1447
1448 // ResourceDescription contains information about the resource
1449 // being created or modified.
1450 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1451 "name"!: _
1452 "names"!: _
1453 }]) & {
1454 // Annotations is a map of annotations (key-value pairs of type
1455 // string). Annotation keys
1456 // and values support the wildcard characters "*" (matches zero or
1457 // many characters) and
1458 // "?" (matches at least one character).
1459 "annotations"?: [string]: string
1460
1461 // Kinds is a list of resource kinds.
1462 "kinds"?: [...string]
1463
1464 // Name is the name of the resource. The name supports wildcard
1465 // characters
1466 // "*" (matches zero or many characters) and "?" (at least one
1467 // character).
1468 // NOTE: "Name" is being deprecated in favor of "Names".
1469 "name"?: string
1470
1471 // Names are the names of the resources. Each name supports
1472 // wildcard characters
1473 // "*" (matches zero or many characters) and "?" (at least one
1474 // character).
1475 "names"?: [...string]
1476
1477 // NamespaceSelector is a label selector for the resource
1478 // namespace. Label keys and values
1479 // in `matchLabels` support the wildcard characters `*` (matches
1480 // zero or many characters)
1481 // and `?` (matches one character).Wildcards allows writing label
1482 // selectors like
1483 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1484 // any key and value but
1485 // does not match an empty label set.
1486 "namespaceSelector"?: {
1487 // matchExpressions is a list of label selector requirements. The
1488 // requirements are ANDed.
1489 "matchExpressions"?: [...{
1490 // key is the label key that the selector applies to.
1491 "key"!: string
1492
1493 // operator represents a key's relationship to a set of values.
1494 // Valid operators are In, NotIn, Exists and DoesNotExist.
1495 "operator"!: string
1496
1497 // values is an array of string values. If the operator is In or
1498 // NotIn,
1499 // the values array must be non-empty. If the operator is Exists
1500 // or DoesNotExist,
1501 // the values array must be empty. This array is replaced during a
1502 // strategic
1503 // merge patch.
1504 "values"?: [...string]
1505 }]
1506
1507 // matchLabels is a map of {key,value} pairs. A single {key,value}
1508 // in the matchLabels
1509 // map is equivalent to an element of matchExpressions, whose key
1510 // field is "key", the
1511 // operator is "In", and the values array contains only "value".
1512 // The requirements are ANDed.
1513 "matchLabels"?: {
1514 [string]: string
1515 }
1516 }
1517
1518 // Namespaces is a list of namespaces names. Each name supports
1519 // wildcard characters
1520 // "*" (matches zero or many characters) and "?" (at least one
1521 // character).
1522 "namespaces"?: [...string]
1523
1524 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1525 // "DELETE"], which are used to match a specific action.
1526 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1527
1528 // Selector is a label selector. Label keys and values in
1529 // `matchLabels` support the wildcard
1530 // characters `*` (matches zero or many characters) and `?`
1531 // (matches one character).
1532 // Wildcards allows writing label selectors like
1533 // ["storage.k8s.io/*": "*"]. Note that
1534 // using ["*" : "*"] matches any key and value but does not match
1535 // an empty label set.
1536 "selector"?: {
1537 // matchExpressions is a list of label selector requirements. The
1538 // requirements are ANDed.
1539 "matchExpressions"?: [...{
1540 // key is the label key that the selector applies to.
1541 "key"!: string
1542
1543 // operator represents a key's relationship to a set of values.
1544 // Valid operators are In, NotIn, Exists and DoesNotExist.
1545 "operator"!: string
1546
1547 // values is an array of string values. If the operator is In or
1548 // NotIn,
1549 // the values array must be non-empty. If the operator is Exists
1550 // or DoesNotExist,
1551 // the values array must be empty. This array is replaced during a
1552 // strategic
1553 // merge patch.
1554 "values"?: [...string]
1555 }]
1556
1557 // matchLabels is a map of {key,value} pairs. A single {key,value}
1558 // in the matchLabels
1559 // map is equivalent to an element of matchExpressions, whose key
1560 // field is "key", the
1561 // operator is "In", and the values array contains only "value".
1562 // The requirements are ANDed.
1563 "matchLabels"?: {
1564 [string]: string
1565 }
1566 }
1567 }
1568
1569 // Roles is the list of namespaced role names for the user.
1570 "roles"?: [...string]
1571
1572 // Subjects is the list of subject names like users, user groups,
1573 // and service accounts.
1574 "subjects"?: [...{
1575 // APIGroup holds the API group of the referenced subject.
1576 // Defaults to "" for ServiceAccount subjects.
1577 // Defaults to "rbac.authorization.k8s.io" for User and Group
1578 // subjects.
1579 "apiGroup"?: string
1580
1581 // Kind of object being referenced. Values defined by this API
1582 // group are "User", "Group", and "ServiceAccount".
1583 // If the Authorizer does not recognized the kind value, the
1584 // Authorizer should report an error.
1585 "kind"!: string
1586
1587 // Name of the object being referenced.
1588 "name"!: string
1589
1590 // Namespace of the referenced object. If the object kind is
1591 // non-namespace, such as "User" or "Group", and this value is
1592 // not empty
1593 // the Authorizer should report an error.
1594 "namespace"?: string
1595 }]
1596 }]
1597
1598 // ClusterRoles is the list of cluster-wide role names for the
1599 // user.
1600 "clusterRoles"?: [...string]
1601
1602 // ResourceDescription contains information about the resource
1603 // being created or modified.
1604 // Requires at least one tag to be specified when under
1605 // MatchResources.
1606 // Specifying ResourceDescription directly under match is being
1607 // deprecated.
1608 // Please specify under "any" or "all" instead.
1609 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1610 "name"!: _
1611 "names"!: _
1612 }]) & {
1613 // Annotations is a map of annotations (key-value pairs of type
1614 // string). Annotation keys
1615 // and values support the wildcard characters "*" (matches zero or
1616 // many characters) and
1617 // "?" (matches at least one character).
1618 "annotations"?: [string]: string
1619
1620 // Kinds is a list of resource kinds.
1621 "kinds"?: [...string]
1622
1623 // Name is the name of the resource. The name supports wildcard
1624 // characters
1625 // "*" (matches zero or many characters) and "?" (at least one
1626 // character).
1627 // NOTE: "Name" is being deprecated in favor of "Names".
1628 "name"?: string
1629
1630 // Names are the names of the resources. Each name supports
1631 // wildcard characters
1632 // "*" (matches zero or many characters) and "?" (at least one
1633 // character).
1634 "names"?: [...string]
1635
1636 // NamespaceSelector is a label selector for the resource
1637 // namespace. Label keys and values
1638 // in `matchLabels` support the wildcard characters `*` (matches
1639 // zero or many characters)
1640 // and `?` (matches one character).Wildcards allows writing label
1641 // selectors like
1642 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1643 // any key and value but
1644 // does not match an empty label set.
1645 "namespaceSelector"?: {
1646 // matchExpressions is a list of label selector requirements. The
1647 // requirements are ANDed.
1648 "matchExpressions"?: [...{
1649 // key is the label key that the selector applies to.
1650 "key"!: string
1651
1652 // operator represents a key's relationship to a set of values.
1653 // Valid operators are In, NotIn, Exists and DoesNotExist.
1654 "operator"!: string
1655
1656 // values is an array of string values. If the operator is In or
1657 // NotIn,
1658 // the values array must be non-empty. If the operator is Exists
1659 // or DoesNotExist,
1660 // the values array must be empty. This array is replaced during a
1661 // strategic
1662 // merge patch.
1663 "values"?: [...string]
1664 }]
1665
1666 // matchLabels is a map of {key,value} pairs. A single {key,value}
1667 // in the matchLabels
1668 // map is equivalent to an element of matchExpressions, whose key
1669 // field is "key", the
1670 // operator is "In", and the values array contains only "value".
1671 // The requirements are ANDed.
1672 "matchLabels"?: {
1673 [string]: string
1674 }
1675 }
1676
1677 // Namespaces is a list of namespaces names. Each name supports
1678 // wildcard characters
1679 // "*" (matches zero or many characters) and "?" (at least one
1680 // character).
1681 "namespaces"?: [...string]
1682
1683 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1684 // "DELETE"], which are used to match a specific action.
1685 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1686
1687 // Selector is a label selector. Label keys and values in
1688 // `matchLabels` support the wildcard
1689 // characters `*` (matches zero or many characters) and `?`
1690 // (matches one character).
1691 // Wildcards allows writing label selectors like
1692 // ["storage.k8s.io/*": "*"]. Note that
1693 // using ["*" : "*"] matches any key and value but does not match
1694 // an empty label set.
1695 "selector"?: {
1696 // matchExpressions is a list of label selector requirements. The
1697 // requirements are ANDed.
1698 "matchExpressions"?: [...{
1699 // key is the label key that the selector applies to.
1700 "key"!: string
1701
1702 // operator represents a key's relationship to a set of values.
1703 // Valid operators are In, NotIn, Exists and DoesNotExist.
1704 "operator"!: string
1705
1706 // values is an array of string values. If the operator is In or
1707 // NotIn,
1708 // the values array must be non-empty. If the operator is Exists
1709 // or DoesNotExist,
1710 // the values array must be empty. This array is replaced during a
1711 // strategic
1712 // merge patch.
1713 "values"?: [...string]
1714 }]
1715
1716 // matchLabels is a map of {key,value} pairs. A single {key,value}
1717 // in the matchLabels
1718 // map is equivalent to an element of matchExpressions, whose key
1719 // field is "key", the
1720 // operator is "In", and the values array contains only "value".
1721 // The requirements are ANDed.
1722 "matchLabels"?: {
1723 [string]: string
1724 }
1725 }
1726 }
1727
1728 // Roles is the list of namespaced role names for the user.
1729 "roles"?: [...string]
1730
1731 // Subjects is the list of subject names like users, user groups,
1732 // and service accounts.
1733 "subjects"?: [...{
1734 // APIGroup holds the API group of the referenced subject.
1735 // Defaults to "" for ServiceAccount subjects.
1736 // Defaults to "rbac.authorization.k8s.io" for User and Group
1737 // subjects.
1738 "apiGroup"?: string
1739
1740 // Kind of object being referenced. Values defined by this API
1741 // group are "User", "Group", and "ServiceAccount".
1742 // If the Authorizer does not recognized the kind value, the
1743 // Authorizer should report an error.
1744 "kind"!: string
1745
1746 // Name of the object being referenced.
1747 "name"!: string
1748
1749 // Namespace of the referenced object. If the object kind is
1750 // non-namespace, such as "User" or "Group", and this value is
1751 // not empty
1752 // the Authorizer should report an error.
1753 "namespace"?: string
1754 }]
1755 }
1756
1757 // Mutation is used to modify matching resources.
1758 "mutate"?: {
1759 // ForEach applies mutation rules to a list of sub-elements by
1760 // creating a context for each entry in the list and looping over
1761 // it to apply the specified logic.
1762 "foreach"?: [...{
1763 // Context defines variables and data sources that can be used
1764 // during rule execution.
1765 "context"?: [...matchN(1, [{
1766 "configMap"!: _
1767 }, {
1768 "apiCall"!: _
1769 }, {
1770 "imageRegistry"!: _
1771 }, {
1772 "variable"!: _
1773 }, {
1774 "globalReference"!: _
1775 }]) & {
1776 // APICall is an HTTP request to the Kubernetes API server, or
1777 // other JSON web service.
1778 // The data returned is stored in the context with the name for
1779 // the context entry.
1780 "apiCall"?: {
1781 // The data object specifies the POST data sent to the server.
1782 // Only applicable when the method field is set to POST.
1783 "data"?: [...{
1784 // Key is a unique identifier for the data value
1785 "key"!: string
1786
1787 // Value is the data value
1788 "value"!: null | bool | number | string | [...] | {
1789 ...
1790 }
1791 }]
1792
1793 // Default is an optional arbitrary JSON object that the context
1794 // value is set to, if the apiCall returns error.
1795 "default"?: null | bool | number | string | [...] | {
1796 ...
1797 }
1798
1799 // JMESPath is an optional JSON Match Expression that can be used
1800 // to
1801 // transform the JSON response returned from the server. For
1802 // example
1803 // a JMESPath of "items | length(@)" applied to the API server
1804 // response
1805 // for the URLPath "/apis/apps/v1/deployments" will return the
1806 // total count
1807 // of deployments across all namespaces.
1808 "jmesPath"?: string
1809
1810 // Method is the HTTP request type (GET or POST). Defaults to GET.
1811 "method"?: "GET" | "POST"
1812
1813 // Service is an API call to a JSON web service.
1814 // This is used for non-Kubernetes API server calls.
1815 // It's mutually exclusive with the URLPath field.
1816 "service"?: {
1817 // CABundle is a PEM encoded CA bundle which will be used to
1818 // validate
1819 // the server certificate.
1820 "caBundle"?: string
1821
1822 // Headers is a list of optional HTTP headers to be included in
1823 // the request.
1824 "headers"?: [...{
1825 // Key is the header key
1826 "key"!: string
1827
1828 // Value is the header value
1829 "value"!: string
1830 }]
1831
1832 // URL is the JSON web service URL. A typical form is
1833 // `https://{service}.{namespace}:{port}/{path}`.
1834 "url"!: string
1835 }
1836
1837 // URLPath is the URL path to be used in the HTTP GET or POST
1838 // request to the
1839 // Kubernetes API server (e.g. "/api/v1/namespaces" or
1840 // "/apis/apps/v1/deployments").
1841 // The format required is the same format used by the `kubectl get
1842 // --raw` command.
1843 // See
1844 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1845 // for details.
1846 // It's mutually exclusive with the Service field.
1847 "urlPath"?: string
1848 }
1849
1850 // ConfigMap is the ConfigMap reference.
1851 "configMap"?: {
1852 // Name is the ConfigMap name.
1853 "name"!: string
1854
1855 // Namespace is the ConfigMap namespace.
1856 "namespace"?: string
1857 }
1858
1859 // GlobalContextEntryReference is a reference to a cached global
1860 // context entry.
1861 "globalReference"?: {
1862 // JMESPath is an optional JSON Match Expression that can be used
1863 // to
1864 // transform the JSON response returned from the server. For
1865 // example
1866 // a JMESPath of "items | length(@)" applied to the API server
1867 // response
1868 // for the URLPath "/apis/apps/v1/deployments" will return the
1869 // total count
1870 // of deployments across all namespaces.
1871 "jmesPath"?: string
1872
1873 // Name of the global context entry
1874 "name"!: string
1875 }
1876
1877 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1878 // fetch image
1879 // details.
1880 "imageRegistry"?: {
1881 // ImageRegistryCredentials provides credentials that will be used
1882 // for authentication with registry
1883 "imageRegistryCredentials"?: {
1884 // AllowInsecureRegistry allows insecure access to a registry.
1885 "allowInsecureRegistry"?: bool
1886
1887 // Providers specifies a list of OCI Registry names, whose
1888 // authentication providers are provided.
1889 // It can be of one of these values:
1890 // default,google,azure,amazon,github.
1891 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1892
1893 // Secrets specifies a list of secrets that are provided for
1894 // credentials.
1895 // Secrets must live in the Kyverno namespace.
1896 "secrets"?: [...string]
1897 }
1898
1899 // JMESPath is an optional JSON Match Expression that can be used
1900 // to
1901 // transform the ImageData struct returned as a result of
1902 // processing
1903 // the image reference.
1904 "jmesPath"?: string
1905
1906 // Reference is image reference to a container image in the
1907 // registry.
1908 // Example: ghcr.io/kyverno/kyverno:latest
1909 "reference"!: string
1910 }
1911
1912 // Name is the variable name.
1913 "name"!: string
1914
1915 // Variable defines an arbitrary JMESPath context variable that
1916 // can be defined inline.
1917 "variable"?: {
1918 // Default is an optional arbitrary JSON object that the variable
1919 // may take if the JMESPath
1920 // expression evaluates to nil
1921 "default"?: null | bool | number | string | [...] | {
1922 ...
1923 }
1924
1925 // JMESPath is an optional JMESPath Expression that can be used to
1926 // transform the variable.
1927 "jmesPath"?: string
1928
1929 // Value is any arbitrary JSON object representable in YAML or
1930 // JSON form.
1931 "value"?: null | bool | number | string | [...] | {
1932 ...
1933 }
1934 }
1935 }]
1936
1937 // Foreach declares a nested foreach iterator
1938 "foreach"?: null | bool | number | string | [...] | {
1939 ...
1940 }
1941
1942 // List specifies a JMESPath expression that results in one or
1943 // more elements
1944 // to which the validation logic is applied.
1945 "list"?: string
1946
1947 // Order defines the iteration order on the list.
1948 // Can be Ascending to iterate from first to last element or
1949 // Descending to iterate in from last to first element.
1950 "order"?: "Ascending" | "Descending"
1951
1952 // PatchStrategicMerge is a strategic merge patch used to modify
1953 // resources.
1954 // See
1955 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1956 // and
1957 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1958 "patchStrategicMerge"?: null | bool | number | string | [...] | {
1959 ...
1960 }
1961
1962 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1963 // used to modify resources.
1964 // See https://tools.ietf.org/html/rfc6902 and
1965 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1966 "patchesJson6902"?: string
1967
1968 // AnyAllConditions are used to determine if a policy rule should
1969 // be applied by evaluating a
1970 // set of conditions. The declaration can contain nested `any` or
1971 // `all` statements.
1972 // See: https://kyverno.io/docs/writing-policies/preconditions/
1973 "preconditions"?: {
1974 // AllConditions enable variable-based conditional rule execution.
1975 // This is useful for
1976 // finer control of when an rule is applied. A condition can
1977 // reference object data
1978 // using JMESPath notation.
1979 // Here, all of the conditions need to pass
1980 "all"?: [...{
1981 // Key is the context entry (using JMESPath) for conditional rule
1982 // evaluation.
1983 "key"?: null | bool | number | string | [...] | {
1984 ...
1985 }
1986
1987 // Message is an optional display message
1988 "message"?: string
1989
1990 // Operator is the conditional operation to perform. Valid
1991 // operators are:
1992 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1993 // GreaterThanOrEquals,
1994 // GreaterThan, LessThanOrEquals, LessThan,
1995 // DurationGreaterThanOrEquals, DurationGreaterThan,
1996 // DurationLessThanOrEquals, DurationLessThan
1997 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1998
1999 // Value is the conditional value, or set of values. The values
2000 // can be fixed set
2001 // or can be variables declared using JMESPath.
2002 "value"?: null | bool | number | string | [...] | {
2003 ...
2004 }
2005 }]
2006
2007 // AnyConditions enable variable-based conditional rule execution.
2008 // This is useful for
2009 // finer control of when an rule is applied. A condition can
2010 // reference object data
2011 // using JMESPath notation.
2012 // Here, at least one of the conditions need to pass
2013 "any"?: [...{
2014 // Key is the context entry (using JMESPath) for conditional rule
2015 // evaluation.
2016 "key"?: null | bool | number | string | [...] | {
2017 ...
2018 }
2019
2020 // Message is an optional display message
2021 "message"?: string
2022
2023 // Operator is the conditional operation to perform. Valid
2024 // operators are:
2025 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2026 // GreaterThanOrEquals,
2027 // GreaterThan, LessThanOrEquals, LessThan,
2028 // DurationGreaterThanOrEquals, DurationGreaterThan,
2029 // DurationLessThanOrEquals, DurationLessThan
2030 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2031
2032 // Value is the conditional value, or set of values. The values
2033 // can be fixed set
2034 // or can be variables declared using JMESPath.
2035 "value"?: null | bool | number | string | [...] | {
2036 ...
2037 }
2038 }]
2039 ...
2040 }
2041 }]
2042
2043 // MutateExistingOnPolicyUpdate controls if the mutateExisting
2044 // rule will be applied on policy events.
2045 "mutateExistingOnPolicyUpdate"?: bool
2046
2047 // PatchStrategicMerge is a strategic merge patch used to modify
2048 // resources.
2049 // See
2050 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
2051 // and
2052 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
2053 "patchStrategicMerge"?: null | bool | number | string | [...] | {
2054 ...
2055 }
2056
2057 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
2058 // used to modify resources.
2059 // See https://tools.ietf.org/html/rfc6902 and
2060 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
2061 "patchesJson6902"?: string
2062
2063 // Targets defines the target resources to be mutated.
2064 "targets"?: [...{
2065 // APIVersion specifies resource apiVersion.
2066 "apiVersion"?: string
2067
2068 // Context defines variables and data sources that can be used
2069 // during rule execution.
2070 "context"?: [...matchN(1, [{
2071 "configMap"!: _
2072 }, {
2073 "apiCall"!: _
2074 }, {
2075 "imageRegistry"!: _
2076 }, {
2077 "variable"!: _
2078 }, {
2079 "globalReference"!: _
2080 }]) & {
2081 // APICall is an HTTP request to the Kubernetes API server, or
2082 // other JSON web service.
2083 // The data returned is stored in the context with the name for
2084 // the context entry.
2085 "apiCall"?: {
2086 // The data object specifies the POST data sent to the server.
2087 // Only applicable when the method field is set to POST.
2088 "data"?: [...{
2089 // Key is a unique identifier for the data value
2090 "key"!: string
2091
2092 // Value is the data value
2093 "value"!: null | bool | number | string | [...] | {
2094 ...
2095 }
2096 }]
2097
2098 // Default is an optional arbitrary JSON object that the context
2099 // value is set to, if the apiCall returns error.
2100 "default"?: null | bool | number | string | [...] | {
2101 ...
2102 }
2103
2104 // JMESPath is an optional JSON Match Expression that can be used
2105 // to
2106 // transform the JSON response returned from the server. For
2107 // example
2108 // a JMESPath of "items | length(@)" applied to the API server
2109 // response
2110 // for the URLPath "/apis/apps/v1/deployments" will return the
2111 // total count
2112 // of deployments across all namespaces.
2113 "jmesPath"?: string
2114
2115 // Method is the HTTP request type (GET or POST). Defaults to GET.
2116 "method"?: "GET" | "POST"
2117
2118 // Service is an API call to a JSON web service.
2119 // This is used for non-Kubernetes API server calls.
2120 // It's mutually exclusive with the URLPath field.
2121 "service"?: {
2122 // CABundle is a PEM encoded CA bundle which will be used to
2123 // validate
2124 // the server certificate.
2125 "caBundle"?: string
2126
2127 // Headers is a list of optional HTTP headers to be included in
2128 // the request.
2129 "headers"?: [...{
2130 // Key is the header key
2131 "key"!: string
2132
2133 // Value is the header value
2134 "value"!: string
2135 }]
2136
2137 // URL is the JSON web service URL. A typical form is
2138 // `https://{service}.{namespace}:{port}/{path}`.
2139 "url"!: string
2140 }
2141
2142 // URLPath is the URL path to be used in the HTTP GET or POST
2143 // request to the
2144 // Kubernetes API server (e.g. "/api/v1/namespaces" or
2145 // "/apis/apps/v1/deployments").
2146 // The format required is the same format used by the `kubectl get
2147 // --raw` command.
2148 // See
2149 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2150 // for details.
2151 // It's mutually exclusive with the Service field.
2152 "urlPath"?: string
2153 }
2154
2155 // ConfigMap is the ConfigMap reference.
2156 "configMap"?: {
2157 // Name is the ConfigMap name.
2158 "name"!: string
2159
2160 // Namespace is the ConfigMap namespace.
2161 "namespace"?: string
2162 }
2163
2164 // GlobalContextEntryReference is a reference to a cached global
2165 // context entry.
2166 "globalReference"?: {
2167 // JMESPath is an optional JSON Match Expression that can be used
2168 // to
2169 // transform the JSON response returned from the server. For
2170 // example
2171 // a JMESPath of "items | length(@)" applied to the API server
2172 // response
2173 // for the URLPath "/apis/apps/v1/deployments" will return the
2174 // total count
2175 // of deployments across all namespaces.
2176 "jmesPath"?: string
2177
2178 // Name of the global context entry
2179 "name"!: string
2180 }
2181
2182 // ImageRegistry defines requests to an OCI/Docker V2 registry to
2183 // fetch image
2184 // details.
2185 "imageRegistry"?: {
2186 // ImageRegistryCredentials provides credentials that will be used
2187 // for authentication with registry
2188 "imageRegistryCredentials"?: {
2189 // AllowInsecureRegistry allows insecure access to a registry.
2190 "allowInsecureRegistry"?: bool
2191
2192 // Providers specifies a list of OCI Registry names, whose
2193 // authentication providers are provided.
2194 // It can be of one of these values:
2195 // default,google,azure,amazon,github.
2196 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2197
2198 // Secrets specifies a list of secrets that are provided for
2199 // credentials.
2200 // Secrets must live in the Kyverno namespace.
2201 "secrets"?: [...string]
2202 }
2203
2204 // JMESPath is an optional JSON Match Expression that can be used
2205 // to
2206 // transform the ImageData struct returned as a result of
2207 // processing
2208 // the image reference.
2209 "jmesPath"?: string
2210
2211 // Reference is image reference to a container image in the
2212 // registry.
2213 // Example: ghcr.io/kyverno/kyverno:latest
2214 "reference"!: string
2215 }
2216
2217 // Name is the variable name.
2218 "name"!: string
2219
2220 // Variable defines an arbitrary JMESPath context variable that
2221 // can be defined inline.
2222 "variable"?: {
2223 // Default is an optional arbitrary JSON object that the variable
2224 // may take if the JMESPath
2225 // expression evaluates to nil
2226 "default"?: null | bool | number | string | [...] | {
2227 ...
2228 }
2229
2230 // JMESPath is an optional JMESPath Expression that can be used to
2231 // transform the variable.
2232 "jmesPath"?: string
2233
2234 // Value is any arbitrary JSON object representable in YAML or
2235 // JSON form.
2236 "value"?: null | bool | number | string | [...] | {
2237 ...
2238 }
2239 }
2240 }]
2241
2242 // Kind specifies resource kind.
2243 "kind"?: string
2244
2245 // Name specifies the resource name.
2246 "name"?: string
2247
2248 // Namespace specifies resource namespace.
2249 "namespace"?: string
2250
2251 // Preconditions are used to determine if a policy rule should be
2252 // applied by evaluating a
2253 // set of conditions. The declaration can contain nested `any` or
2254 // `all` statements. A direct list
2255 // of conditions (without `any` or `all` statements is supported
2256 // for backwards compatibility but
2257 // will be deprecated in the next major release.
2258 // See: https://kyverno.io/docs/writing-policies/preconditions/
2259 "preconditions"?: null | bool | number | string | [...] | {
2260 ...
2261 }
2262
2263 // Selector allows you to select target resources with their
2264 // labels.
2265 "selector"?: {
2266 // matchExpressions is a list of label selector requirements. The
2267 // requirements are ANDed.
2268 "matchExpressions"?: [...{
2269 // key is the label key that the selector applies to.
2270 "key"!: string
2271
2272 // operator represents a key's relationship to a set of values.
2273 // Valid operators are In, NotIn, Exists and DoesNotExist.
2274 "operator"!: string
2275
2276 // values is an array of string values. If the operator is In or
2277 // NotIn,
2278 // the values array must be non-empty. If the operator is Exists
2279 // or DoesNotExist,
2280 // the values array must be empty. This array is replaced during a
2281 // strategic
2282 // merge patch.
2283 "values"?: [...string]
2284 }]
2285
2286 // matchLabels is a map of {key,value} pairs. A single {key,value}
2287 // in the matchLabels
2288 // map is equivalent to an element of matchExpressions, whose key
2289 // field is "key", the
2290 // operator is "In", and the values array contains only "value".
2291 // The requirements are ANDed.
2292 "matchLabels"?: {
2293 [string]: string
2294 }
2295 }
2296
2297 // UID specifies the resource uid.
2298 "uid"?: string
2299 }]
2300 }
2301
2302 // Name is a label to identify the rule, It must be unique within
2303 // the policy.
2304 "name"!: strings.MaxRunes(
2305 63)
2306
2307 // Preconditions are used to determine if a policy rule should be
2308 // applied by evaluating a
2309 // set of conditions. The declaration can contain nested `any` or
2310 // `all` statements. A direct list
2311 // of conditions (without `any` or `all` statements is supported
2312 // for backwards compatibility but
2313 // will be deprecated in the next major release.
2314 // See: https://kyverno.io/docs/writing-policies/preconditions/
2315 "preconditions"?: null | bool | number | string | [...] | {
2316 ...
2317 }
2318
2319 // ReportProperties are the additional properties from the rule
2320 // that will be added to the policy report result
2321 "reportProperties"?: {
2322 [string]: string
2323 }
2324
2325 // SkipBackgroundRequests bypasses admission requests that are
2326 // sent by the background controller.
2327 // The default value is set to "true", it must be set to "false"
2328 // to apply
2329 // generate and mutateExisting rules to those requests.
2330 "skipBackgroundRequests"?: bool
2331
2332 // Validation is used to validate matching resources.
2333 "validate"?: {
2334 // AllowExistingViolations allows prexisting violating resources
2335 // to continue violating a policy.
2336 "allowExistingViolations"?: bool
2337
2338 // AnyPattern specifies list of validation patterns. At least one
2339 // of the patterns
2340 // must be satisfied for the validation rule to succeed.
2341 "anyPattern"?: null | bool | number | string | [...] | {
2342 ...
2343 }
2344
2345 // Assert defines a kyverno-json assertion tree.
2346 "assert"?: {
2347 ...
2348 }
2349
2350 // CEL allows validation checks using the Common Expression
2351 // Language
2352 // (https://kubernetes.io/docs/reference/using-api/cel/).
2353 "cel"?: {
2354 // AuditAnnotations contains CEL expressions which are used to
2355 // produce audit annotations for the audit event of the API
2356 // request.
2357 "auditAnnotations"?: [...{
2358 // key specifies the audit annotation key. The audit annotation
2359 // keys of
2360 // a ValidatingAdmissionPolicy must be unique. The key must be a
2361 // qualified
2362 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2363 // length.
2364 //
2365 // The key is combined with the resource name of the
2366 // ValidatingAdmissionPolicy to construct an audit annotation key:
2367 // "{ValidatingAdmissionPolicy name}/{key}".
2368 //
2369 // If an admission webhook uses the same resource name as this
2370 // ValidatingAdmissionPolicy
2371 // and the same audit annotation key, the annotation key will be
2372 // identical.
2373 // In this case, the first annotation written with the key will be
2374 // included
2375 // in the audit event and all subsequent annotations with the same
2376 // key
2377 // will be discarded.
2378 //
2379 // Required.
2380 "key"!: string
2381
2382 // valueExpression represents the expression which is evaluated by
2383 // CEL to
2384 // produce an audit annotation value. The expression must evaluate
2385 // to either
2386 // a string or null value. If the expression evaluates to a
2387 // string, the
2388 // audit annotation is included with the string value. If the
2389 // expression
2390 // evaluates to null or empty string the audit annotation will be
2391 // omitted.
2392 // The valueExpression may be no longer than 5kb in length.
2393 // If the result of the valueExpression is more than 10kb in
2394 // length, it
2395 // will be truncated to 10kb.
2396 //
2397 // If multiple ValidatingAdmissionPolicyBinding resources match an
2398 // API request, then the valueExpression will be evaluated for
2399 // each binding. All unique values produced by the
2400 // valueExpressions
2401 // will be joined together in a comma-separated list.
2402 //
2403 // Required.
2404 "valueExpression"!: string
2405 }]
2406
2407 // Expressions is a list of CELExpression types.
2408 "expressions"?: [...{
2409 // Expression represents the expression which will be evaluated by
2410 // CEL.
2411 // ref: https://github.com/google/cel-spec
2412 // CEL expressions have access to the contents of the API
2413 // request/response, organized into CEL variables as well as some
2414 // other useful variables:
2415 //
2416 // - 'object' - The object from the incoming request. The value is
2417 // null for DELETE requests.
2418 // - 'oldObject' - The existing object. The value is null for
2419 // CREATE requests.
2420 // - 'request' - Attributes of the API
2421 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2422 // - 'params' - Parameter resource referred to by the policy
2423 // binding being evaluated. Only populated if the policy has a
2424 // ParamKind.
2425 // - 'namespaceObject' - The namespace object that the incoming
2426 // object belongs to. The value is null for cluster-scoped
2427 // resources.
2428 // - 'variables' - Map of composited variables, from its name to
2429 // its lazily evaluated value.
2430 // For example, a variable named 'foo' can be accessed as
2431 // 'variables.foo'.
2432 // - 'authorizer' - A CEL Authorizer. May be used to perform
2433 // authorization checks for the principal (user or service
2434 // account) of the request.
2435 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2436 // - 'authorizer.requestResource' - A CEL ResourceCheck
2437 // constructed from the 'authorizer' and configured with the
2438 // request resource.
2439 //
2440 // The `apiVersion`, `kind`, `metadata.name` and
2441 // `metadata.generateName` are always accessible from the root of
2442 // the
2443 // object. No other metadata properties are accessible.
2444 //
2445 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2446 // are accessible.
2447 // Accessible property names are escaped according to the
2448 // following rules when accessed in the expression:
2449 // - '__' escapes to '__underscores__'
2450 // - '.' escapes to '__dot__'
2451 // - '-' escapes to '__dash__'
2452 // - '/' escapes to '__slash__'
2453 // - Property names that exactly match a CEL RESERVED keyword
2454 // escape to '__{keyword}__'. The keywords are:
2455 // "true", "false", "null", "in", "as", "break", "const",
2456 // "continue", "else", "for", "function", "if",
2457 // "import", "let", "loop", "package", "namespace", "return".
2458 // Examples:
2459 // - Expression accessing a property named "namespace":
2460 // {"Expression": "object.__namespace__ > 0"}
2461 // - Expression accessing a property named "x-prop":
2462 // {"Expression": "object.x__dash__prop > 0"}
2463 // - Expression accessing a property named "redact__d":
2464 // {"Expression": "object.redact__underscores__d > 0"}
2465 //
2466 // Equality on arrays with list type of 'set' or 'map' ignores
2467 // element order, i.e. [1, 2] == [2, 1].
2468 // Concatenation on arrays with x-kubernetes-list-type use the
2469 // semantics of the list type:
2470 // - 'set': `X + Y` performs a union where the array positions of
2471 // all elements in `X` are preserved and
2472 // non-intersecting elements in `Y` are appended, retaining their
2473 // partial order.
2474 // - 'map': `X + Y` performs a merge where the array positions of
2475 // all keys in `X` are preserved but the values
2476 // are overwritten by values in `Y` when the key sets of `X` and
2477 // `Y` intersect. Elements in `Y` with
2478 // non-intersecting keys are appended, retaining their partial
2479 // order.
2480 // Required.
2481 "expression"!: string
2482
2483 // Message represents the message displayed when validation fails.
2484 // The message is required if the Expression contains
2485 // line breaks. The message must not contain line breaks.
2486 // If unset, the message is "failed rule: {Rule}".
2487 // e.g. "must be a URL with the host matching spec.host"
2488 // If the Expression contains line breaks. Message is required.
2489 // The message must not contain line breaks.
2490 // If unset, the message is "failed Expression: {Expression}".
2491 "message"?: string
2492
2493 // messageExpression declares a CEL expression that evaluates to
2494 // the validation failure message that is returned when this rule
2495 // fails.
2496 // Since messageExpression is used as a failure message, it must
2497 // evaluate to a string.
2498 // If both message and messageExpression are present on a
2499 // validation, then messageExpression will be used if validation
2500 // fails.
2501 // If messageExpression results in a runtime error, the runtime
2502 // error is logged, and the validation failure message is
2503 // produced
2504 // as if the messageExpression field were unset. If
2505 // messageExpression evaluates to an empty string, a string with
2506 // only spaces, or a string
2507 // that contains line breaks, then the validation failure message
2508 // will also be produced as if the messageExpression field were
2509 // unset, and
2510 // the fact that messageExpression produced an empty string/string
2511 // with only spaces/string with line breaks will be logged.
2512 // messageExpression has access to all the same variables as the
2513 // `expression` except for 'authorizer' and
2514 // 'authorizer.requestResource'.
2515 // Example:
2516 // "object.x must be less than max ("+string(params.max)+")"
2517 "messageExpression"?: string
2518
2519 // Reason represents a machine-readable description of why this
2520 // validation failed.
2521 // If this is the first validation in the list to fail, this
2522 // reason, as well as the
2523 // corresponding HTTP response code, are used in the
2524 // HTTP response to the client.
2525 // The currently supported reasons are: "Unauthorized",
2526 // "Forbidden", "Invalid", "RequestEntityTooLarge".
2527 // If not set, StatusReasonInvalid is used in the response to the
2528 // client.
2529 "reason"?: string
2530 }]
2531
2532 // ParamKind is a tuple of Group Kind and Version.
2533 "paramKind"?: {
2534 // APIVersion is the API group version the resources belong to.
2535 // In format of "group/version".
2536 // Required.
2537 "apiVersion"?: string
2538
2539 // Kind is the API kind the resources belong to.
2540 // Required.
2541 "kind"?: string
2542 }
2543
2544 // ParamRef references a parameter resource.
2545 "paramRef"?: {
2546 // name is the name of the resource being referenced.
2547 //
2548 // One of `name` or `selector` must be set, but `name` and
2549 // `selector` are
2550 // mutually exclusive properties. If one is set, the other must be
2551 // unset.
2552 //
2553 // A single parameter used for all admission requests can be
2554 // configured
2555 // by setting the `name` field, leaving `selector` blank, and
2556 // setting namespace
2557 // if `paramKind` is namespace-scoped.
2558 "name"?: string
2559
2560 // namespace is the namespace of the referenced resource. Allows
2561 // limiting
2562 // the search for params to a specific namespace. Applies to both
2563 // `name` and
2564 // `selector` fields.
2565 //
2566 // A per-namespace parameter may be used by specifying a
2567 // namespace-scoped
2568 // `paramKind` in the policy and leaving this field empty.
2569 //
2570 // - If `paramKind` is cluster-scoped, this field MUST be unset.
2571 // Setting this
2572 // field results in a configuration error.
2573 //
2574 // - If `paramKind` is namespace-scoped, the namespace of the
2575 // object being
2576 // evaluated for admission will be used when this field is left
2577 // unset. Take
2578 // care that if this is left empty the binding must not match any
2579 // cluster-scoped
2580 // resources, which will result in an error.
2581 "namespace"?: string
2582
2583 // `parameterNotFoundAction` controls the behavior of the binding
2584 // when the resource
2585 // exists, and name or selector is valid, but there are no
2586 // parameters
2587 // matched by the binding. If the value is set to `Allow`, then no
2588 // matched parameters will be treated as successful validation by
2589 // the binding.
2590 // If set to `Deny`, then no matched parameters will be subject to
2591 // the
2592 // `failurePolicy` of the policy.
2593 //
2594 // Allowed values are `Allow` or `Deny`
2595 //
2596 // Required
2597 "parameterNotFoundAction"?: string
2598
2599 // selector can be used to match multiple param objects based on
2600 // their labels.
2601 // Supply selector: {} to match all resources of the ParamKind.
2602 //
2603 // If multiple params are found, they are all evaluated with the
2604 // policy expressions
2605 // and the results are ANDed together.
2606 //
2607 // One of `name` or `selector` must be set, but `name` and
2608 // `selector` are
2609 // mutually exclusive properties. If one is set, the other must be
2610 // unset.
2611 "selector"?: {
2612 // matchExpressions is a list of label selector requirements. The
2613 // requirements are ANDed.
2614 "matchExpressions"?: [...{
2615 // key is the label key that the selector applies to.
2616 "key"!: string
2617
2618 // operator represents a key's relationship to a set of values.
2619 // Valid operators are In, NotIn, Exists and DoesNotExist.
2620 "operator"!: string
2621
2622 // values is an array of string values. If the operator is In or
2623 // NotIn,
2624 // the values array must be non-empty. If the operator is Exists
2625 // or DoesNotExist,
2626 // the values array must be empty. This array is replaced during a
2627 // strategic
2628 // merge patch.
2629 "values"?: [...string]
2630 }]
2631
2632 // matchLabels is a map of {key,value} pairs. A single {key,value}
2633 // in the matchLabels
2634 // map is equivalent to an element of matchExpressions, whose key
2635 // field is "key", the
2636 // operator is "In", and the values array contains only "value".
2637 // The requirements are ANDed.
2638 "matchLabels"?: {
2639 [string]: string
2640 }
2641 }
2642 }
2643
2644 // Variables contain definitions of variables that can be used in
2645 // composition of other expressions.
2646 // Each variable is defined as a named CEL expression.
2647 // The variables defined here will be available under `variables`
2648 // in other expressions of the policy.
2649 "variables"?: [...{
2650 // Expression is the expression that will be evaluated as the
2651 // value of the variable.
2652 // The CEL expression has access to the same identifiers as the
2653 // CEL expressions in Validation.
2654 "expression"!: string
2655
2656 // Name is the name of the variable. The name must be a valid CEL
2657 // identifier and unique among all variables.
2658 // The variable can be accessed in other expressions through
2659 // `variables`
2660 // For example, if name is "foo", the variable will be available
2661 // as `variables.foo`
2662 "name"!: string
2663 }]
2664 }
2665
2666 // Deny defines conditions used to pass or fail a validation rule.
2667 "deny"?: {
2668 // Multiple conditions can be declared under an `any` or `all`
2669 // statement. A direct list
2670 // of conditions (without `any` or `all` statements) is also
2671 // supported for backwards compatibility
2672 // but will be deprecated in the next major release.
2673 // See:
2674 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2675 "conditions"?: null | bool | number | string | [...] | {
2676 ...
2677 }
2678 }
2679
2680 // FailureAction defines if a validation policy rule violation
2681 // should block
2682 // the admission review request (Enforce), or allow (Audit) the
2683 // admission review request
2684 // and report an error in a policy report. Optional.
2685 // Allowed values are Audit or Enforce.
2686 "failureAction"?: "Audit" | "Enforce"
2687
2688 // FailureActionOverrides is a Cluster Policy attribute that
2689 // specifies FailureAction
2690 // namespace-wise. It overrides FailureAction for the specified
2691 // namespaces.
2692 "failureActionOverrides"?: [...{
2693 // ValidationFailureAction defines the policy validation failure
2694 // action
2695 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
2696
2697 // A label selector is a label query over a set of resources. The
2698 // result of matchLabels and
2699 // matchExpressions are ANDed. An empty label selector matches all
2700 // objects. A null
2701 // label selector matches no objects.
2702 "namespaceSelector"?: {
2703 // matchExpressions is a list of label selector requirements. The
2704 // requirements are ANDed.
2705 "matchExpressions"?: [...{
2706 // key is the label key that the selector applies to.
2707 "key"!: string
2708
2709 // operator represents a key's relationship to a set of values.
2710 // Valid operators are In, NotIn, Exists and DoesNotExist.
2711 "operator"!: string
2712
2713 // values is an array of string values. If the operator is In or
2714 // NotIn,
2715 // the values array must be non-empty. If the operator is Exists
2716 // or DoesNotExist,
2717 // the values array must be empty. This array is replaced during a
2718 // strategic
2719 // merge patch.
2720 "values"?: [...string]
2721 }]
2722
2723 // matchLabels is a map of {key,value} pairs. A single {key,value}
2724 // in the matchLabels
2725 // map is equivalent to an element of matchExpressions, whose key
2726 // field is "key", the
2727 // operator is "In", and the values array contains only "value".
2728 // The requirements are ANDed.
2729 "matchLabels"?: {
2730 [string]: string
2731 }
2732 }
2733 "namespaces"?: [...string]
2734 }]
2735
2736 // ForEach applies validate rules to a list of sub-elements by
2737 // creating a context for each entry in the list and looping over
2738 // it to apply the specified logic.
2739 "foreach"?: [...{
2740 // AnyPattern specifies list of validation patterns. At least one
2741 // of the patterns
2742 // must be satisfied for the validation rule to succeed.
2743 "anyPattern"?: null | bool | number | string | [...] | {
2744 ...
2745 }
2746
2747 // Context defines variables and data sources that can be used
2748 // during rule execution.
2749 "context"?: [...matchN(1, [{
2750 "configMap"!: _
2751 }, {
2752 "apiCall"!: _
2753 }, {
2754 "imageRegistry"!: _
2755 }, {
2756 "variable"!: _
2757 }, {
2758 "globalReference"!: _
2759 }]) & {
2760 // APICall is an HTTP request to the Kubernetes API server, or
2761 // other JSON web service.
2762 // The data returned is stored in the context with the name for
2763 // the context entry.
2764 "apiCall"?: {
2765 // The data object specifies the POST data sent to the server.
2766 // Only applicable when the method field is set to POST.
2767 "data"?: [...{
2768 // Key is a unique identifier for the data value
2769 "key"!: string
2770
2771 // Value is the data value
2772 "value"!: null | bool | number | string | [...] | {
2773 ...
2774 }
2775 }]
2776
2777 // Default is an optional arbitrary JSON object that the context
2778 // value is set to, if the apiCall returns error.
2779 "default"?: null | bool | number | string | [...] | {
2780 ...
2781 }
2782
2783 // JMESPath is an optional JSON Match Expression that can be used
2784 // to
2785 // transform the JSON response returned from the server. For
2786 // example
2787 // a JMESPath of "items | length(@)" applied to the API server
2788 // response
2789 // for the URLPath "/apis/apps/v1/deployments" will return the
2790 // total count
2791 // of deployments across all namespaces.
2792 "jmesPath"?: string
2793
2794 // Method is the HTTP request type (GET or POST). Defaults to GET.
2795 "method"?: "GET" | "POST"
2796
2797 // Service is an API call to a JSON web service.
2798 // This is used for non-Kubernetes API server calls.
2799 // It's mutually exclusive with the URLPath field.
2800 "service"?: {
2801 // CABundle is a PEM encoded CA bundle which will be used to
2802 // validate
2803 // the server certificate.
2804 "caBundle"?: string
2805
2806 // Headers is a list of optional HTTP headers to be included in
2807 // the request.
2808 "headers"?: [...{
2809 // Key is the header key
2810 "key"!: string
2811
2812 // Value is the header value
2813 "value"!: string
2814 }]
2815
2816 // URL is the JSON web service URL. A typical form is
2817 // `https://{service}.{namespace}:{port}/{path}`.
2818 "url"!: string
2819 }
2820
2821 // URLPath is the URL path to be used in the HTTP GET or POST
2822 // request to the
2823 // Kubernetes API server (e.g. "/api/v1/namespaces" or
2824 // "/apis/apps/v1/deployments").
2825 // The format required is the same format used by the `kubectl get
2826 // --raw` command.
2827 // See
2828 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2829 // for details.
2830 // It's mutually exclusive with the Service field.
2831 "urlPath"?: string
2832 }
2833
2834 // ConfigMap is the ConfigMap reference.
2835 "configMap"?: {
2836 // Name is the ConfigMap name.
2837 "name"!: string
2838
2839 // Namespace is the ConfigMap namespace.
2840 "namespace"?: string
2841 }
2842
2843 // GlobalContextEntryReference is a reference to a cached global
2844 // context entry.
2845 "globalReference"?: {
2846 // JMESPath is an optional JSON Match Expression that can be used
2847 // to
2848 // transform the JSON response returned from the server. For
2849 // example
2850 // a JMESPath of "items | length(@)" applied to the API server
2851 // response
2852 // for the URLPath "/apis/apps/v1/deployments" will return the
2853 // total count
2854 // of deployments across all namespaces.
2855 "jmesPath"?: string
2856
2857 // Name of the global context entry
2858 "name"!: string
2859 }
2860
2861 // ImageRegistry defines requests to an OCI/Docker V2 registry to
2862 // fetch image
2863 // details.
2864 "imageRegistry"?: {
2865 // ImageRegistryCredentials provides credentials that will be used
2866 // for authentication with registry
2867 "imageRegistryCredentials"?: {
2868 // AllowInsecureRegistry allows insecure access to a registry.
2869 "allowInsecureRegistry"?: bool
2870
2871 // Providers specifies a list of OCI Registry names, whose
2872 // authentication providers are provided.
2873 // It can be of one of these values:
2874 // default,google,azure,amazon,github.
2875 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2876
2877 // Secrets specifies a list of secrets that are provided for
2878 // credentials.
2879 // Secrets must live in the Kyverno namespace.
2880 "secrets"?: [...string]
2881 }
2882
2883 // JMESPath is an optional JSON Match Expression that can be used
2884 // to
2885 // transform the ImageData struct returned as a result of
2886 // processing
2887 // the image reference.
2888 "jmesPath"?: string
2889
2890 // Reference is image reference to a container image in the
2891 // registry.
2892 // Example: ghcr.io/kyverno/kyverno:latest
2893 "reference"!: string
2894 }
2895
2896 // Name is the variable name.
2897 "name"!: string
2898
2899 // Variable defines an arbitrary JMESPath context variable that
2900 // can be defined inline.
2901 "variable"?: {
2902 // Default is an optional arbitrary JSON object that the variable
2903 // may take if the JMESPath
2904 // expression evaluates to nil
2905 "default"?: null | bool | number | string | [...] | {
2906 ...
2907 }
2908
2909 // JMESPath is an optional JMESPath Expression that can be used to
2910 // transform the variable.
2911 "jmesPath"?: string
2912
2913 // Value is any arbitrary JSON object representable in YAML or
2914 // JSON form.
2915 "value"?: null | bool | number | string | [...] | {
2916 ...
2917 }
2918 }
2919 }]
2920
2921 // Deny defines conditions used to pass or fail a validation rule.
2922 "deny"?: {
2923 // Multiple conditions can be declared under an `any` or `all`
2924 // statement. A direct list
2925 // of conditions (without `any` or `all` statements) is also
2926 // supported for backwards compatibility
2927 // but will be deprecated in the next major release.
2928 // See:
2929 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2930 "conditions"?: null | bool | number | string | [...] | {
2931 ...
2932 }
2933 }
2934
2935 // ElementScope specifies whether to use the current list element
2936 // as the scope for validation. Defaults to "true" if not
2937 // specified.
2938 // When set to "false", "request.object" is used as the validation
2939 // scope within the foreach
2940 // block to allow referencing other elements in the subtree.
2941 "elementScope"?: bool
2942
2943 // Foreach declares a nested foreach iterator
2944 "foreach"?: null | bool | number | string | [...] | {
2945 ...
2946 }
2947
2948 // List specifies a JMESPath expression that results in one or
2949 // more elements
2950 // to which the validation logic is applied.
2951 "list"?: string
2952
2953 // Pattern specifies an overlay-style pattern used to check
2954 // resources.
2955 "pattern"?: null | bool | number | string | [...] | {
2956 ...
2957 }
2958
2959 // AnyAllConditions are used to determine if a policy rule should
2960 // be applied by evaluating a
2961 // set of conditions. The declaration can contain nested `any` or
2962 // `all` statements.
2963 // See: https://kyverno.io/docs/writing-policies/preconditions/
2964 "preconditions"?: {
2965 // AllConditions enable variable-based conditional rule execution.
2966 // This is useful for
2967 // finer control of when an rule is applied. A condition can
2968 // reference object data
2969 // using JMESPath notation.
2970 // Here, all of the conditions need to pass
2971 "all"?: [...{
2972 // Key is the context entry (using JMESPath) for conditional rule
2973 // evaluation.
2974 "key"?: null | bool | number | string | [...] | {
2975 ...
2976 }
2977
2978 // Message is an optional display message
2979 "message"?: string
2980
2981 // Operator is the conditional operation to perform. Valid
2982 // operators are:
2983 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2984 // GreaterThanOrEquals,
2985 // GreaterThan, LessThanOrEquals, LessThan,
2986 // DurationGreaterThanOrEquals, DurationGreaterThan,
2987 // DurationLessThanOrEquals, DurationLessThan
2988 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2989
2990 // Value is the conditional value, or set of values. The values
2991 // can be fixed set
2992 // or can be variables declared using JMESPath.
2993 "value"?: null | bool | number | string | [...] | {
2994 ...
2995 }
2996 }]
2997
2998 // AnyConditions enable variable-based conditional rule execution.
2999 // This is useful for
3000 // finer control of when an rule is applied. A condition can
3001 // reference object data
3002 // using JMESPath notation.
3003 // Here, at least one of the conditions need to pass
3004 "any"?: [...{
3005 // Key is the context entry (using JMESPath) for conditional rule
3006 // evaluation.
3007 "key"?: null | bool | number | string | [...] | {
3008 ...
3009 }
3010
3011 // Message is an optional display message
3012 "message"?: string
3013
3014 // Operator is the conditional operation to perform. Valid
3015 // operators are:
3016 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3017 // GreaterThanOrEquals,
3018 // GreaterThan, LessThanOrEquals, LessThan,
3019 // DurationGreaterThanOrEquals, DurationGreaterThan,
3020 // DurationLessThanOrEquals, DurationLessThan
3021 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3022
3023 // Value is the conditional value, or set of values. The values
3024 // can be fixed set
3025 // or can be variables declared using JMESPath.
3026 "value"?: null | bool | number | string | [...] | {
3027 ...
3028 }
3029 }]
3030 ...
3031 }
3032 }]
3033
3034 // Manifest specifies conditions for manifest verification
3035 "manifests"?: {
3036 // AnnotationDomain is custom domain of annotation for message and
3037 // signature. Default is "cosign.sigstore.dev".
3038 "annotationDomain"?: string
3039
3040 // Attestors specified the required attestors (i.e. authorities)
3041 "attestors"?: [...{
3042 // Count specifies the required number of entries that must match.
3043 // If the count is null, all entries must match
3044 // (a logical AND). If the count is 1, at least one entry must
3045 // match (a logical OR). If the count contains a
3046 // value N, then N must be less than or equal to the size of
3047 // entries, and at least N entries must match.
3048 "count"?: int & >=1
3049
3050 // Entries contains the available attestors. An attestor can be a
3051 // static key,
3052 // attributes for keyless verification, or a nested attestor
3053 // declaration.
3054 "entries"?: [...{
3055 // Annotations are used for image verification.
3056 // Every specified key-value pair must exist and match in the
3057 // verified payload.
3058 // The payload may contain other key-value pairs.
3059 "annotations"?: [string]: string
3060
3061 // Attestor is a nested set of Attestor used to specify a more
3062 // complex set of match authorities.
3063 "attestor"?: null | bool | number | string | [...] | {
3064 ...
3065 }
3066
3067 // Certificates specifies one or more certificates.
3068 "certificates"?: {
3069 // Cert is an optional PEM-encoded public certificate.
3070 "cert"?: string
3071
3072 // CertChain is an optional PEM encoded set of certificates used
3073 // to verify.
3074 "certChain"?: string
3075
3076 // CTLog (certificate timestamp log) provides a configuration for
3077 // validation of Signed Certificate
3078 // Timestamps (SCTs). If the value is unset, the default behavior
3079 // by Cosign is used.
3080 "ctlog"?: {
3081 // IgnoreSCT defines whether to use the Signed Certificate
3082 // Timestamp (SCT) log to check for a certificate
3083 // timestamp. Default is false. Set to true if this was opted out
3084 // during signing.
3085 "ignoreSCT"?: bool
3086
3087 // PubKey, if set, is used to validate SCTs against a custom
3088 // source.
3089 "pubkey"?: string
3090
3091 // TSACertChain, if set, is the PEM-encoded certificate chain file
3092 // for the RFC3161 timestamp authority. Must
3093 // contain the root CA certificate. Optionally may contain
3094 // intermediate CA certificates, and
3095 // may contain the leaf TSA certificate if not present in the
3096 // timestamurce.
3097 "tsaCertChain"?: string
3098 }
3099
3100 // Rekor provides configuration for the Rekor transparency log
3101 // service. If an empty object
3102 // is provided the public instance of Rekor
3103 // (https://rekor.sigstore.dev) is used.
3104 "rekor"?: {
3105 // IgnoreTlog skips transparency log verification.
3106 "ignoreTlog"?: bool
3107
3108 // RekorPubKey is an optional PEM-encoded public key to use for a
3109 // custom Rekor.
3110 // If set, this will be used to validate transparency log
3111 // signatures from a custom Rekor.
3112 "pubkey"?: string
3113
3114 // URL is the address of the transparency log. Defaults to the
3115 // public Rekor log instance https://rekor.sigstore.dev.
3116 "url"?: string
3117 }
3118 }
3119
3120 // Keyless is a set of attribute used to verify a Sigstore keyless
3121 // attestor.
3122 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3123 "keyless"?: {
3124 // AdditionalExtensions are certificate-extensions used for
3125 // keyless signing.
3126 "additionalExtensions"?: [string]: string
3127
3128 // CTLog (certificate timestamp log) provides a configuration for
3129 // validation of Signed Certificate
3130 // Timestamps (SCTs). If the value is unset, the default behavior
3131 // by Cosign is used.
3132 "ctlog"?: {
3133 // IgnoreSCT defines whether to use the Signed Certificate
3134 // Timestamp (SCT) log to check for a certificate
3135 // timestamp. Default is false. Set to true if this was opted out
3136 // during signing.
3137 "ignoreSCT"?: bool
3138
3139 // PubKey, if set, is used to validate SCTs against a custom
3140 // source.
3141 "pubkey"?: string
3142
3143 // TSACertChain, if set, is the PEM-encoded certificate chain file
3144 // for the RFC3161 timestamp authority. Must
3145 // contain the root CA certificate. Optionally may contain
3146 // intermediate CA certificates, and
3147 // may contain the leaf TSA certificate if not present in the
3148 // timestamurce.
3149 "tsaCertChain"?: string
3150 }
3151
3152 // Issuer is the certificate issuer used for keyless signing.
3153 "issuer"?: string
3154
3155 // IssuerRegExp is the regular expression to match certificate
3156 // issuer used for keyless signing.
3157 "issuerRegExp"?: string
3158
3159 // Rekor provides configuration for the Rekor transparency log
3160 // service. If an empty object
3161 // is provided the public instance of Rekor
3162 // (https://rekor.sigstore.dev) is used.
3163 "rekor"?: {
3164 // IgnoreTlog skips transparency log verification.
3165 "ignoreTlog"?: bool
3166
3167 // RekorPubKey is an optional PEM-encoded public key to use for a
3168 // custom Rekor.
3169 // If set, this will be used to validate transparency log
3170 // signatures from a custom Rekor.
3171 "pubkey"?: string
3172
3173 // URL is the address of the transparency log. Defaults to the
3174 // public Rekor log instance https://rekor.sigstore.dev.
3175 "url"?: string
3176 }
3177
3178 // Roots is an optional set of PEM encoded trusted root
3179 // certificates.
3180 // If not provided, the system roots are used.
3181 "roots"?: string
3182
3183 // Subject is the verified identity used for keyless signing, for
3184 // example the email address.
3185 "subject"?: string
3186
3187 // SubjectRegExp is the regular expression to match identity used
3188 // for keyless signing, for example the email address.
3189 "subjectRegExp"?: string
3190 }
3191
3192 // Keys specifies one or more public keys.
3193 "keys"?: {
3194 // CTLog (certificate timestamp log) provides a configuration for
3195 // validation of Signed Certificate
3196 // Timestamps (SCTs). If the value is unset, the default behavior
3197 // by Cosign is used.
3198 "ctlog"?: {
3199 // IgnoreSCT defines whether to use the Signed Certificate
3200 // Timestamp (SCT) log to check for a certificate
3201 // timestamp. Default is false. Set to true if this was opted out
3202 // during signing.
3203 "ignoreSCT"?: bool
3204
3205 // PubKey, if set, is used to validate SCTs against a custom
3206 // source.
3207 "pubkey"?: string
3208
3209 // TSACertChain, if set, is the PEM-encoded certificate chain file
3210 // for the RFC3161 timestamp authority. Must
3211 // contain the root CA certificate. Optionally may contain
3212 // intermediate CA certificates, and
3213 // may contain the leaf TSA certificate if not present in the
3214 // timestamurce.
3215 "tsaCertChain"?: string
3216 }
3217
3218 // KMS provides the URI to the public key stored in a Key
3219 // Management System. See:
3220 // https://github.com/sigstore/cosign/blob/main/KMS.md
3221 "kms"?: string
3222
3223 // Keys is a set of X.509 public keys used to verify image
3224 // signatures. The keys can be directly
3225 // specified or can be a variable reference to a key specified in
3226 // a ConfigMap (see
3227 // https://kyverno.io/docs/writing-policies/variables/), or
3228 // reference a standard Kubernetes Secret
3229 // elsewhere in the cluster by specifying it in the format
3230 // "k8s://<namespace>/<secret_name>".
3231 // The named Secret must specify a key `cosign.pub` containing the
3232 // public key used for
3233 // verification, (see
3234 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3235 // When multiple keys are specified each key is processed as a
3236 // separate staticKey entry
3237 // (.attestors[*].entries.keys) within the set of attestors and
3238 // the count is applied across the keys.
3239 "publicKeys"?: string
3240
3241 // Rekor provides configuration for the Rekor transparency log
3242 // service. If an empty object
3243 // is provided the public instance of Rekor
3244 // (https://rekor.sigstore.dev) is used.
3245 "rekor"?: {
3246 // IgnoreTlog skips transparency log verification.
3247 "ignoreTlog"?: bool
3248
3249 // RekorPubKey is an optional PEM-encoded public key to use for a
3250 // custom Rekor.
3251 // If set, this will be used to validate transparency log
3252 // signatures from a custom Rekor.
3253 "pubkey"?: string
3254
3255 // URL is the address of the transparency log. Defaults to the
3256 // public Rekor log instance https://rekor.sigstore.dev.
3257 "url"?: string
3258 }
3259
3260 // Reference to a Secret resource that contains a public key
3261 "secret"?: {
3262 // Name of the secret. The provided secret must contain a key
3263 // named cosign.pub.
3264 "name"!: string
3265
3266 // Namespace name where the Secret exists.
3267 "namespace"!: string
3268 }
3269
3270 // Deprecated. Use attestor.signatureAlgorithm instead.
3271 "signatureAlgorithm"?: string
3272 }
3273
3274 // Repository is an optional alternate OCI repository to use for
3275 // signatures and attestations that match this rule.
3276 // If specified Repository will override other OCI image
3277 // repository locations for this Attestor.
3278 "repository"?: string
3279
3280 // Specify signature algorithm for public keys. Supported values
3281 // are sha224, sha256, sha384 and sha512.
3282 "signatureAlgorithm"?: string
3283 }]
3284 }]
3285
3286 // DryRun configuration
3287 "dryRun"?: {
3288 "enable"?: bool
3289 "namespace"?: string
3290 }
3291
3292 // Fields which will be ignored while comparing manifests.
3293 "ignoreFields"?: [...{
3294 "fields"?: [...string]
3295 "objects"?: [...{
3296 "group"?: string
3297 "kind"?: string
3298 "name"?: string
3299 "namespace"?: string
3300 "version"?: string
3301 }]
3302 }]
3303
3304 // Repository is an optional alternate OCI repository to use for
3305 // resource bundle reference.
3306 // The repository can be overridden per Attestor or Attestation.
3307 "repository"?: string
3308 }
3309
3310 // Message specifies a custom message to be displayed on failure.
3311 "message"?: string
3312
3313 // Pattern specifies an overlay-style pattern used to check
3314 // resources.
3315 "pattern"?: null | bool | number | string | [...] | {
3316 ...
3317 }
3318
3319 // PodSecurity applies exemptions for Kubernetes Pod Security
3320 // admission
3321 // by specifying exclusions for Pod Security Standards controls.
3322 "podSecurity"?: {
3323 // Exclude specifies the Pod Security Standard controls to be
3324 // excluded.
3325 "exclude"?: [...{
3326 // ControlName specifies the name of the Pod Security Standard
3327 // control.
3328 // See:
3329 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
3330 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3331
3332 // Images selects matching containers and applies the container
3333 // level PSS.
3334 // Each image is the image name consisting of the registry
3335 // address, repository, image, and tag.
3336 // Empty list matches no containers, PSS checks are applied at the
3337 // pod level only.
3338 // Wildcards ('*' and '?') are allowed. See:
3339 // https://kubernetes.io/docs/concepts/containers/images.
3340 "images"?: [...string]
3341
3342 // RestrictedField selects the field for the given Pod Security
3343 // Standard control.
3344 // When not set, all restricted fields for the control are
3345 // selected.
3346 "restrictedField"?: string
3347
3348 // Values defines the allowed values that can be excluded.
3349 "values"?: [...string]
3350 }]
3351
3352 // Level defines the Pod Security Standard level to be applied to
3353 // workloads.
3354 // Allowed values are privileged, baseline, and restricted.
3355 "level"?: "privileged" | "baseline" | "restricted"
3356
3357 // Version defines the Pod Security Standard versions that
3358 // Kubernetes supports.
3359 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3360 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3361 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3362 }
3363 }
3364
3365 // VerifyImages is used to verify image signatures and mutate them
3366 // to add a digest
3367 "verifyImages"?: [...{
3368 // Deprecated.
3369 "additionalExtensions"?: [string]: string
3370
3371 // Deprecated. Use annotations per Attestor instead.
3372 "annotations"?: {
3373 [string]: string
3374 }
3375
3376 // Attestations are optional checks for signed in-toto Statements
3377 // used to verify the image.
3378 // See https://github.com/in-toto/attestation. Kyverno fetches
3379 // signed attestations from the
3380 // OCI registry and decodes them into a list of Statement
3381 // declarations.
3382 "attestations"?: [...{
3383 // Attestors specify the required attestors (i.e. authorities).
3384 "attestors"?: [...{
3385 // Count specifies the required number of entries that must match.
3386 // If the count is null, all entries must match
3387 // (a logical AND). If the count is 1, at least one entry must
3388 // match (a logical OR). If the count contains a
3389 // value N, then N must be less than or equal to the size of
3390 // entries, and at least N entries must match.
3391 "count"?: int & >=1
3392
3393 // Entries contains the available attestors. An attestor can be a
3394 // static key,
3395 // attributes for keyless verification, or a nested attestor
3396 // declaration.
3397 "entries"?: [...{
3398 // Annotations are used for image verification.
3399 // Every specified key-value pair must exist and match in the
3400 // verified payload.
3401 // The payload may contain other key-value pairs.
3402 "annotations"?: [string]: string
3403
3404 // Attestor is a nested set of Attestor used to specify a more
3405 // complex set of match authorities.
3406 "attestor"?: null | bool | number | string | [...] | {
3407 ...
3408 }
3409
3410 // Certificates specifies one or more certificates.
3411 "certificates"?: {
3412 // Cert is an optional PEM-encoded public certificate.
3413 "cert"?: string
3414
3415 // CertChain is an optional PEM encoded set of certificates used
3416 // to verify.
3417 "certChain"?: string
3418
3419 // CTLog (certificate timestamp log) provides a configuration for
3420 // validation of Signed Certificate
3421 // Timestamps (SCTs). If the value is unset, the default behavior
3422 // by Cosign is used.
3423 "ctlog"?: {
3424 // IgnoreSCT defines whether to use the Signed Certificate
3425 // Timestamp (SCT) log to check for a certificate
3426 // timestamp. Default is false. Set to true if this was opted out
3427 // during signing.
3428 "ignoreSCT"?: bool
3429
3430 // PubKey, if set, is used to validate SCTs against a custom
3431 // source.
3432 "pubkey"?: string
3433
3434 // TSACertChain, if set, is the PEM-encoded certificate chain file
3435 // for the RFC3161 timestamp authority. Must
3436 // contain the root CA certificate. Optionally may contain
3437 // intermediate CA certificates, and
3438 // may contain the leaf TSA certificate if not present in the
3439 // timestamurce.
3440 "tsaCertChain"?: string
3441 }
3442
3443 // Rekor provides configuration for the Rekor transparency log
3444 // service. If an empty object
3445 // is provided the public instance of Rekor
3446 // (https://rekor.sigstore.dev) is used.
3447 "rekor"?: {
3448 // IgnoreTlog skips transparency log verification.
3449 "ignoreTlog"?: bool
3450
3451 // RekorPubKey is an optional PEM-encoded public key to use for a
3452 // custom Rekor.
3453 // If set, this will be used to validate transparency log
3454 // signatures from a custom Rekor.
3455 "pubkey"?: string
3456
3457 // URL is the address of the transparency log. Defaults to the
3458 // public Rekor log instance https://rekor.sigstore.dev.
3459 "url"?: string
3460 }
3461 }
3462
3463 // Keyless is a set of attribute used to verify a Sigstore keyless
3464 // attestor.
3465 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3466 "keyless"?: {
3467 // AdditionalExtensions are certificate-extensions used for
3468 // keyless signing.
3469 "additionalExtensions"?: [string]: string
3470
3471 // CTLog (certificate timestamp log) provides a configuration for
3472 // validation of Signed Certificate
3473 // Timestamps (SCTs). If the value is unset, the default behavior
3474 // by Cosign is used.
3475 "ctlog"?: {
3476 // IgnoreSCT defines whether to use the Signed Certificate
3477 // Timestamp (SCT) log to check for a certificate
3478 // timestamp. Default is false. Set to true if this was opted out
3479 // during signing.
3480 "ignoreSCT"?: bool
3481
3482 // PubKey, if set, is used to validate SCTs against a custom
3483 // source.
3484 "pubkey"?: string
3485
3486 // TSACertChain, if set, is the PEM-encoded certificate chain file
3487 // for the RFC3161 timestamp authority. Must
3488 // contain the root CA certificate. Optionally may contain
3489 // intermediate CA certificates, and
3490 // may contain the leaf TSA certificate if not present in the
3491 // timestamurce.
3492 "tsaCertChain"?: string
3493 }
3494
3495 // Issuer is the certificate issuer used for keyless signing.
3496 "issuer"?: string
3497
3498 // IssuerRegExp is the regular expression to match certificate
3499 // issuer used for keyless signing.
3500 "issuerRegExp"?: string
3501
3502 // Rekor provides configuration for the Rekor transparency log
3503 // service. If an empty object
3504 // is provided the public instance of Rekor
3505 // (https://rekor.sigstore.dev) is used.
3506 "rekor"?: {
3507 // IgnoreTlog skips transparency log verification.
3508 "ignoreTlog"?: bool
3509
3510 // RekorPubKey is an optional PEM-encoded public key to use for a
3511 // custom Rekor.
3512 // If set, this will be used to validate transparency log
3513 // signatures from a custom Rekor.
3514 "pubkey"?: string
3515
3516 // URL is the address of the transparency log. Defaults to the
3517 // public Rekor log instance https://rekor.sigstore.dev.
3518 "url"?: string
3519 }
3520
3521 // Roots is an optional set of PEM encoded trusted root
3522 // certificates.
3523 // If not provided, the system roots are used.
3524 "roots"?: string
3525
3526 // Subject is the verified identity used for keyless signing, for
3527 // example the email address.
3528 "subject"?: string
3529
3530 // SubjectRegExp is the regular expression to match identity used
3531 // for keyless signing, for example the email address.
3532 "subjectRegExp"?: string
3533 }
3534
3535 // Keys specifies one or more public keys.
3536 "keys"?: {
3537 // CTLog (certificate timestamp log) provides a configuration for
3538 // validation of Signed Certificate
3539 // Timestamps (SCTs). If the value is unset, the default behavior
3540 // by Cosign is used.
3541 "ctlog"?: {
3542 // IgnoreSCT defines whether to use the Signed Certificate
3543 // Timestamp (SCT) log to check for a certificate
3544 // timestamp. Default is false. Set to true if this was opted out
3545 // during signing.
3546 "ignoreSCT"?: bool
3547
3548 // PubKey, if set, is used to validate SCTs against a custom
3549 // source.
3550 "pubkey"?: string
3551
3552 // TSACertChain, if set, is the PEM-encoded certificate chain file
3553 // for the RFC3161 timestamp authority. Must
3554 // contain the root CA certificate. Optionally may contain
3555 // intermediate CA certificates, and
3556 // may contain the leaf TSA certificate if not present in the
3557 // timestamurce.
3558 "tsaCertChain"?: string
3559 }
3560
3561 // KMS provides the URI to the public key stored in a Key
3562 // Management System. See:
3563 // https://github.com/sigstore/cosign/blob/main/KMS.md
3564 "kms"?: string
3565
3566 // Keys is a set of X.509 public keys used to verify image
3567 // signatures. The keys can be directly
3568 // specified or can be a variable reference to a key specified in
3569 // a ConfigMap (see
3570 // https://kyverno.io/docs/writing-policies/variables/), or
3571 // reference a standard Kubernetes Secret
3572 // elsewhere in the cluster by specifying it in the format
3573 // "k8s://<namespace>/<secret_name>".
3574 // The named Secret must specify a key `cosign.pub` containing the
3575 // public key used for
3576 // verification, (see
3577 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3578 // When multiple keys are specified each key is processed as a
3579 // separate staticKey entry
3580 // (.attestors[*].entries.keys) within the set of attestors and
3581 // the count is applied across the keys.
3582 "publicKeys"?: string
3583
3584 // Rekor provides configuration for the Rekor transparency log
3585 // service. If an empty object
3586 // is provided the public instance of Rekor
3587 // (https://rekor.sigstore.dev) is used.
3588 "rekor"?: {
3589 // IgnoreTlog skips transparency log verification.
3590 "ignoreTlog"?: bool
3591
3592 // RekorPubKey is an optional PEM-encoded public key to use for a
3593 // custom Rekor.
3594 // If set, this will be used to validate transparency log
3595 // signatures from a custom Rekor.
3596 "pubkey"?: string
3597
3598 // URL is the address of the transparency log. Defaults to the
3599 // public Rekor log instance https://rekor.sigstore.dev.
3600 "url"?: string
3601 }
3602
3603 // Reference to a Secret resource that contains a public key
3604 "secret"?: {
3605 // Name of the secret. The provided secret must contain a key
3606 // named cosign.pub.
3607 "name"!: string
3608
3609 // Namespace name where the Secret exists.
3610 "namespace"!: string
3611 }
3612
3613 // Deprecated. Use attestor.signatureAlgorithm instead.
3614 "signatureAlgorithm"?: string
3615 }
3616
3617 // Repository is an optional alternate OCI repository to use for
3618 // signatures and attestations that match this rule.
3619 // If specified Repository will override other OCI image
3620 // repository locations for this Attestor.
3621 "repository"?: string
3622
3623 // Specify signature algorithm for public keys. Supported values
3624 // are sha224, sha256, sha384 and sha512.
3625 "signatureAlgorithm"?: string
3626 }]
3627 }]
3628
3629 // Conditions are used to verify attributes within a Predicate. If
3630 // no Conditions are specified
3631 // the attestation check is satisfied as long there are predicates
3632 // that match the predicate type.
3633 "conditions"?: [...{
3634 // AllConditions enable variable-based conditional rule execution.
3635 // This is useful for
3636 // finer control of when an rule is applied. A condition can
3637 // reference object data
3638 // using JMESPath notation.
3639 // Here, all of the conditions need to pass
3640 "all"?: [...{
3641 // Key is the context entry (using JMESPath) for conditional rule
3642 // evaluation.
3643 "key"?: null | bool | number | string | [...] | {
3644 ...
3645 }
3646
3647 // Message is an optional display message
3648 "message"?: string
3649
3650 // Operator is the conditional operation to perform. Valid
3651 // operators are:
3652 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3653 // GreaterThanOrEquals,
3654 // GreaterThan, LessThanOrEquals, LessThan,
3655 // DurationGreaterThanOrEquals, DurationGreaterThan,
3656 // DurationLessThanOrEquals, DurationLessThan
3657 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3658
3659 // Value is the conditional value, or set of values. The values
3660 // can be fixed set
3661 // or can be variables declared using JMESPath.
3662 "value"?: null | bool | number | string | [...] | {
3663 ...
3664 }
3665 }]
3666
3667 // AnyConditions enable variable-based conditional rule execution.
3668 // This is useful for
3669 // finer control of when an rule is applied. A condition can
3670 // reference object data
3671 // using JMESPath notation.
3672 // Here, at least one of the conditions need to pass
3673 "any"?: [...{
3674 // Key is the context entry (using JMESPath) for conditional rule
3675 // evaluation.
3676 "key"?: null | bool | number | string | [...] | {
3677 ...
3678 }
3679
3680 // Message is an optional display message
3681 "message"?: string
3682
3683 // Operator is the conditional operation to perform. Valid
3684 // operators are:
3685 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3686 // GreaterThanOrEquals,
3687 // GreaterThan, LessThanOrEquals, LessThan,
3688 // DurationGreaterThanOrEquals, DurationGreaterThan,
3689 // DurationLessThanOrEquals, DurationLessThan
3690 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3691
3692 // Value is the conditional value, or set of values. The values
3693 // can be fixed set
3694 // or can be variables declared using JMESPath.
3695 "value"?: null | bool | number | string | [...] | {
3696 ...
3697 }
3698 }]
3699 }]
3700
3701 // Name is the variable name.
3702 "name"?: string
3703
3704 // Deprecated in favour of 'Type', to be removed soon
3705 "predicateType"?: string
3706
3707 // Type defines the type of attestation contained within the
3708 // Statement.
3709 "type"?: string
3710 }]
3711
3712 // Attestors specified the required attestors (i.e. authorities)
3713 "attestors"?: [...{
3714 // Count specifies the required number of entries that must match.
3715 // If the count is null, all entries must match
3716 // (a logical AND). If the count is 1, at least one entry must
3717 // match (a logical OR). If the count contains a
3718 // value N, then N must be less than or equal to the size of
3719 // entries, and at least N entries must match.
3720 "count"?: int & >=1
3721
3722 // Entries contains the available attestors. An attestor can be a
3723 // static key,
3724 // attributes for keyless verification, or a nested attestor
3725 // declaration.
3726 "entries"?: [...{
3727 // Annotations are used for image verification.
3728 // Every specified key-value pair must exist and match in the
3729 // verified payload.
3730 // The payload may contain other key-value pairs.
3731 "annotations"?: [string]: string
3732
3733 // Attestor is a nested set of Attestor used to specify a more
3734 // complex set of match authorities.
3735 "attestor"?: null | bool | number | string | [...] | {
3736 ...
3737 }
3738
3739 // Certificates specifies one or more certificates.
3740 "certificates"?: {
3741 // Cert is an optional PEM-encoded public certificate.
3742 "cert"?: string
3743
3744 // CertChain is an optional PEM encoded set of certificates used
3745 // to verify.
3746 "certChain"?: string
3747
3748 // CTLog (certificate timestamp log) provides a configuration for
3749 // validation of Signed Certificate
3750 // Timestamps (SCTs). If the value is unset, the default behavior
3751 // by Cosign is used.
3752 "ctlog"?: {
3753 // IgnoreSCT defines whether to use the Signed Certificate
3754 // Timestamp (SCT) log to check for a certificate
3755 // timestamp. Default is false. Set to true if this was opted out
3756 // during signing.
3757 "ignoreSCT"?: bool
3758
3759 // PubKey, if set, is used to validate SCTs against a custom
3760 // source.
3761 "pubkey"?: string
3762
3763 // TSACertChain, if set, is the PEM-encoded certificate chain file
3764 // for the RFC3161 timestamp authority. Must
3765 // contain the root CA certificate. Optionally may contain
3766 // intermediate CA certificates, and
3767 // may contain the leaf TSA certificate if not present in the
3768 // timestamurce.
3769 "tsaCertChain"?: string
3770 }
3771
3772 // Rekor provides configuration for the Rekor transparency log
3773 // service. If an empty object
3774 // is provided the public instance of Rekor
3775 // (https://rekor.sigstore.dev) is used.
3776 "rekor"?: {
3777 // IgnoreTlog skips transparency log verification.
3778 "ignoreTlog"?: bool
3779
3780 // RekorPubKey is an optional PEM-encoded public key to use for a
3781 // custom Rekor.
3782 // If set, this will be used to validate transparency log
3783 // signatures from a custom Rekor.
3784 "pubkey"?: string
3785
3786 // URL is the address of the transparency log. Defaults to the
3787 // public Rekor log instance https://rekor.sigstore.dev.
3788 "url"?: string
3789 }
3790 }
3791
3792 // Keyless is a set of attribute used to verify a Sigstore keyless
3793 // attestor.
3794 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3795 "keyless"?: {
3796 // AdditionalExtensions are certificate-extensions used for
3797 // keyless signing.
3798 "additionalExtensions"?: [string]: string
3799
3800 // CTLog (certificate timestamp log) provides a configuration for
3801 // validation of Signed Certificate
3802 // Timestamps (SCTs). If the value is unset, the default behavior
3803 // by Cosign is used.
3804 "ctlog"?: {
3805 // IgnoreSCT defines whether to use the Signed Certificate
3806 // Timestamp (SCT) log to check for a certificate
3807 // timestamp. Default is false. Set to true if this was opted out
3808 // during signing.
3809 "ignoreSCT"?: bool
3810
3811 // PubKey, if set, is used to validate SCTs against a custom
3812 // source.
3813 "pubkey"?: string
3814
3815 // TSACertChain, if set, is the PEM-encoded certificate chain file
3816 // for the RFC3161 timestamp authority. Must
3817 // contain the root CA certificate. Optionally may contain
3818 // intermediate CA certificates, and
3819 // may contain the leaf TSA certificate if not present in the
3820 // timestamurce.
3821 "tsaCertChain"?: string
3822 }
3823
3824 // Issuer is the certificate issuer used for keyless signing.
3825 "issuer"?: string
3826
3827 // IssuerRegExp is the regular expression to match certificate
3828 // issuer used for keyless signing.
3829 "issuerRegExp"?: string
3830
3831 // Rekor provides configuration for the Rekor transparency log
3832 // service. If an empty object
3833 // is provided the public instance of Rekor
3834 // (https://rekor.sigstore.dev) is used.
3835 "rekor"?: {
3836 // IgnoreTlog skips transparency log verification.
3837 "ignoreTlog"?: bool
3838
3839 // RekorPubKey is an optional PEM-encoded public key to use for a
3840 // custom Rekor.
3841 // If set, this will be used to validate transparency log
3842 // signatures from a custom Rekor.
3843 "pubkey"?: string
3844
3845 // URL is the address of the transparency log. Defaults to the
3846 // public Rekor log instance https://rekor.sigstore.dev.
3847 "url"?: string
3848 }
3849
3850 // Roots is an optional set of PEM encoded trusted root
3851 // certificates.
3852 // If not provided, the system roots are used.
3853 "roots"?: string
3854
3855 // Subject is the verified identity used for keyless signing, for
3856 // example the email address.
3857 "subject"?: string
3858
3859 // SubjectRegExp is the regular expression to match identity used
3860 // for keyless signing, for example the email address.
3861 "subjectRegExp"?: string
3862 }
3863
3864 // Keys specifies one or more public keys.
3865 "keys"?: {
3866 // CTLog (certificate timestamp log) provides a configuration for
3867 // validation of Signed Certificate
3868 // Timestamps (SCTs). If the value is unset, the default behavior
3869 // by Cosign is used.
3870 "ctlog"?: {
3871 // IgnoreSCT defines whether to use the Signed Certificate
3872 // Timestamp (SCT) log to check for a certificate
3873 // timestamp. Default is false. Set to true if this was opted out
3874 // during signing.
3875 "ignoreSCT"?: bool
3876
3877 // PubKey, if set, is used to validate SCTs against a custom
3878 // source.
3879 "pubkey"?: string
3880
3881 // TSACertChain, if set, is the PEM-encoded certificate chain file
3882 // for the RFC3161 timestamp authority. Must
3883 // contain the root CA certificate. Optionally may contain
3884 // intermediate CA certificates, and
3885 // may contain the leaf TSA certificate if not present in the
3886 // timestamurce.
3887 "tsaCertChain"?: string
3888 }
3889
3890 // KMS provides the URI to the public key stored in a Key
3891 // Management System. See:
3892 // https://github.com/sigstore/cosign/blob/main/KMS.md
3893 "kms"?: string
3894
3895 // Keys is a set of X.509 public keys used to verify image
3896 // signatures. The keys can be directly
3897 // specified or can be a variable reference to a key specified in
3898 // a ConfigMap (see
3899 // https://kyverno.io/docs/writing-policies/variables/), or
3900 // reference a standard Kubernetes Secret
3901 // elsewhere in the cluster by specifying it in the format
3902 // "k8s://<namespace>/<secret_name>".
3903 // The named Secret must specify a key `cosign.pub` containing the
3904 // public key used for
3905 // verification, (see
3906 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3907 // When multiple keys are specified each key is processed as a
3908 // separate staticKey entry
3909 // (.attestors[*].entries.keys) within the set of attestors and
3910 // the count is applied across the keys.
3911 "publicKeys"?: string
3912
3913 // Rekor provides configuration for the Rekor transparency log
3914 // service. If an empty object
3915 // is provided the public instance of Rekor
3916 // (https://rekor.sigstore.dev) is used.
3917 "rekor"?: {
3918 // IgnoreTlog skips transparency log verification.
3919 "ignoreTlog"?: bool
3920
3921 // RekorPubKey is an optional PEM-encoded public key to use for a
3922 // custom Rekor.
3923 // If set, this will be used to validate transparency log
3924 // signatures from a custom Rekor.
3925 "pubkey"?: string
3926
3927 // URL is the address of the transparency log. Defaults to the
3928 // public Rekor log instance https://rekor.sigstore.dev.
3929 "url"?: string
3930 }
3931
3932 // Reference to a Secret resource that contains a public key
3933 "secret"?: {
3934 // Name of the secret. The provided secret must contain a key
3935 // named cosign.pub.
3936 "name"!: string
3937
3938 // Namespace name where the Secret exists.
3939 "namespace"!: string
3940 }
3941
3942 // Deprecated. Use attestor.signatureAlgorithm instead.
3943 "signatureAlgorithm"?: string
3944 }
3945
3946 // Repository is an optional alternate OCI repository to use for
3947 // signatures and attestations that match this rule.
3948 // If specified Repository will override other OCI image
3949 // repository locations for this Attestor.
3950 "repository"?: string
3951
3952 // Specify signature algorithm for public keys. Supported values
3953 // are sha224, sha256, sha384 and sha512.
3954 "signatureAlgorithm"?: string
3955 }]
3956 }]
3957
3958 // CosignOCI11 enables the experimental OCI 1.1 behaviour in
3959 // cosign image verification.
3960 // Defaults to false.
3961 "cosignOCI11"?: bool
3962
3963 // Allowed values are Audit or Enforce.
3964 "failureAction"?: "Audit" | "Enforce"
3965
3966 // Deprecated. Use ImageReferences instead.
3967 "image"?: string
3968
3969 // ImageReferences is a list of matching image reference patterns.
3970 // At least one pattern in the
3971 // list must match the image for the rule to apply. Each image
3972 // reference consists of a registry
3973 // address (defaults to docker.io), repository, image, and tag
3974 // (defaults to latest).
3975 // Wildcards ('*' and '?') are allowed. See:
3976 // https://kubernetes.io/docs/concepts/containers/images.
3977 "imageReferences"?: [...string]
3978
3979 // ImageRegistryCredentials provides credentials that will be used
3980 // for authentication with registry.
3981 "imageRegistryCredentials"?: {
3982 // AllowInsecureRegistry allows insecure access to a registry.
3983 "allowInsecureRegistry"?: bool
3984
3985 // Providers specifies a list of OCI Registry names, whose
3986 // authentication providers are provided.
3987 // It can be of one of these values:
3988 // default,google,azure,amazon,github.
3989 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3990
3991 // Secrets specifies a list of secrets that are provided for
3992 // credentials.
3993 // Secrets must live in the Kyverno namespace.
3994 "secrets"?: [...string]
3995 }
3996
3997 // Deprecated. Use KeylessAttestor instead.
3998 "issuer"?: string
3999
4000 // Deprecated. Use StaticKeyAttestor instead.
4001 "key"?: string
4002
4003 // MutateDigest enables replacement of image tags with digests.
4004 // Defaults to true.
4005 "mutateDigest"?: bool
4006
4007 // Repository is an optional alternate OCI repository to use for
4008 // image signatures and attestations that match this rule.
4009 // If specified Repository will override the default OCI image
4010 // repository configured for the installation.
4011 // The repository can also be overridden per Attestor or
4012 // Attestation.
4013 "repository"?: string
4014
4015 // Required validates that images are verified i.e. have matched
4016 // passed a signature or attestation check.
4017 "required"?: bool
4018
4019 // Deprecated. Use KeylessAttestor instead.
4020 "roots"?: string
4021
4022 // SkipImageReferences is a list of matching image reference
4023 // patterns that should be skipped.
4024 // At least one pattern in the list must match the image for the
4025 // rule to be skipped. Each image reference
4026 // consists of a registry address (defaults to docker.io),
4027 // repository, image, and tag (defaults to latest).
4028 // Wildcards ('*' and '?') are allowed. See:
4029 // https://kubernetes.io/docs/concepts/containers/images.
4030 "skipImageReferences"?: [...string]
4031
4032 // Deprecated. Use KeylessAttestor instead.
4033 "subject"?: string
4034
4035 // Type specifies the method of signature validation. The allowed
4036 // options
4037 // are Cosign, Sigstore Bundle and Notary. By default Cosign is
4038 // used if a type is not specified.
4039 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
4040
4041 // UseCache enables caching of image verify responses for this
4042 // rule.
4043 "useCache"?: bool
4044
4045 // Validation checks conditions across multiple image
4046 // verification attestations or context entries
4047 "validate"?: {
4048 // Deny defines conditions used to pass or fail a validation rule.
4049 "deny"?: {
4050 // Multiple conditions can be declared under an `any` or `all`
4051 // statement. A direct list
4052 // of conditions (without `any` or `all` statements) is also
4053 // supported for backwards compatibility
4054 // but will be deprecated in the next major release.
4055 // See:
4056 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
4057 "conditions"?: null | bool | number | string | [...] | {
4058 ...
4059 }
4060 }
4061
4062 // Message specifies a custom message to be displayed on failure.
4063 "message"?: string
4064 }
4065
4066 // VerifyDigest validates that images have a digest.
4067 "verifyDigest"?: bool
4068 }]
4069 }]
4070
4071 // Deprecated.
4072 "schemaValidation"?: bool
4073
4074 // UseServerSideApply controls whether to use server-side apply
4075 // for generate rules
4076 // If is set to "true" create & update for generate rules will use
4077 // apply instead of create/update.
4078 // Defaults to "false" if not specified.
4079 "useServerSideApply"?: bool
4080
4081 // Deprecated, use validationFailureAction under the validate rule
4082 // instead.
4083 "validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
4084
4085 // Deprecated, use validationFailureActionOverrides under the
4086 // validate rule instead.
4087 "validationFailureActionOverrides"?: [...{
4088 // ValidationFailureAction defines the policy validation failure
4089 // action
4090 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
4091
4092 // A label selector is a label query over a set of resources. The
4093 // result of matchLabels and
4094 // matchExpressions are ANDed. An empty label selector matches all
4095 // objects. A null
4096 // label selector matches no objects.
4097 "namespaceSelector"?: {
4098 // matchExpressions is a list of label selector requirements. The
4099 // requirements are ANDed.
4100 "matchExpressions"?: [...{
4101 // key is the label key that the selector applies to.
4102 "key"!: string
4103
4104 // operator represents a key's relationship to a set of values.
4105 // Valid operators are In, NotIn, Exists and DoesNotExist.
4106 "operator"!: string
4107
4108 // values is an array of string values. If the operator is In or
4109 // NotIn,
4110 // the values array must be non-empty. If the operator is Exists
4111 // or DoesNotExist,
4112 // the values array must be empty. This array is replaced during a
4113 // strategic
4114 // merge patch.
4115 "values"?: [...string]
4116 }]
4117
4118 // matchLabels is a map of {key,value} pairs. A single {key,value}
4119 // in the matchLabels
4120 // map is equivalent to an element of matchExpressions, whose key
4121 // field is "key", the
4122 // operator is "In", and the values array contains only "value".
4123 // The requirements are ANDed.
4124 "matchLabels"?: {
4125 [string]: string
4126 }
4127 }
4128 "namespaces"?: [...string]
4129 }]
4130
4131 // WebhookConfiguration specifies the custom configuration for
4132 // Kubernetes admission webhookconfiguration.
4133 "webhookConfiguration"?: {
4134 // FailurePolicy defines how unexpected policy errors and webhook
4135 // response timeout errors are handled.
4136 // Rules within the same policy share the same failure behavior.
4137 // This field should not be accessed directly, instead
4138 // `GetFailurePolicy()` should be used.
4139 // Allowed values are Ignore or Fail. Defaults to Fail.
4140 "failurePolicy"?: "Ignore" | "Fail"
4141
4142 // MatchCondition configures admission webhook matchConditions.
4143 // Requires Kubernetes 1.27 or later.
4144 "matchConditions"?: [...{
4145 // Expression represents the expression which will be evaluated by
4146 // CEL. Must evaluate to bool.
4147 // CEL expressions have access to the contents of the
4148 // AdmissionRequest and Authorizer, organized into CEL variables:
4149 //
4150 // 'object' - The object from the incoming request. The value is
4151 // null for DELETE requests.
4152 // 'oldObject' - The existing object. The value is null for CREATE
4153 // requests.
4154 // 'request' - Attributes of the admission
4155 // request(/pkg/apis/admission/types.go#AdmissionRequest).
4156 // 'authorizer' - A CEL Authorizer. May be used to perform
4157 // authorization checks for the principal (user or service
4158 // account) of the request.
4159 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4160 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
4161 // from the 'authorizer' and configured with the
4162 // request resource.
4163 // Documentation on CEL:
4164 // https://kubernetes.io/docs/reference/using-api/cel/
4165 //
4166 // Required.
4167 "expression"!: string
4168
4169 // Name is an identifier for this match condition, used for
4170 // strategic merging of MatchConditions,
4171 // as well as providing an identifier for logging purposes. A good
4172 // name should be descriptive of
4173 // the associated expression.
4174 // Name must be a qualified name consisting of alphanumeric
4175 // characters, '-', '_' or '.', and
4176 // must start and end with an alphanumeric character (e.g.
4177 // 'MyName', or 'my.name', or
4178 // '123-abc', regex used for validation is
4179 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4180 // optional DNS subdomain prefix and '/' (e.g.
4181 // 'example.com/MyName')
4182 //
4183 // Required.
4184 "name"!: string
4185 }]
4186
4187 // TimeoutSeconds specifies the maximum time in seconds allowed to
4188 // apply this policy.
4189 // After the configured time expires, the admission request may
4190 // fail, or may simply ignore the policy results,
4191 // based on the failure policy. The default timeout is 10s, the
4192 // value must be between 1 and 30 seconds.
4193 "timeoutSeconds"?: int32 & int
4194 }
4195
4196 // Deprecated, use webhookTimeoutSeconds under
4197 // webhookConfiguration instead.
4198 "webhookTimeoutSeconds"?: int32 & int
4199 }
4200
4201 // Deprecated. Policy metrics are available via the metrics
4202 // endpoint
4203 "status"?: {
4204 // AutogenStatus contains autogen status information.
4205 "autogen"?: {
4206 // Rules is a list of Rule instances. It contains auto generated
4207 // rules added for pod controllers
4208 "rules"?: [...{
4209 // CELPreconditions are used to determine if a policy rule should
4210 // be applied by evaluating a
4211 // set of CEL conditions. It can only be used with the
4212 // validate.cel subrule
4213 "celPreconditions"?: [...{
4214 // Expression represents the expression which will be evaluated by
4215 // CEL. Must evaluate to bool.
4216 // CEL expressions have access to the contents of the
4217 // AdmissionRequest and Authorizer, organized into CEL variables:
4218 //
4219 // 'object' - The object from the incoming request. The value is
4220 // null for DELETE requests.
4221 // 'oldObject' - The existing object. The value is null for CREATE
4222 // requests.
4223 // 'request' - Attributes of the admission
4224 // request(/pkg/apis/admission/types.go#AdmissionRequest).
4225 // 'authorizer' - A CEL Authorizer. May be used to perform
4226 // authorization checks for the principal (user or service
4227 // account) of the request.
4228 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
4229 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
4230 // from the 'authorizer' and configured with the
4231 // request resource.
4232 // Documentation on CEL:
4233 // https://kubernetes.io/docs/reference/using-api/cel/
4234 //
4235 // Required.
4236 "expression"!: string
4237
4238 // Name is an identifier for this match condition, used for
4239 // strategic merging of MatchConditions,
4240 // as well as providing an identifier for logging purposes. A good
4241 // name should be descriptive of
4242 // the associated expression.
4243 // Name must be a qualified name consisting of alphanumeric
4244 // characters, '-', '_' or '.', and
4245 // must start and end with an alphanumeric character (e.g.
4246 // 'MyName', or 'my.name', or
4247 // '123-abc', regex used for validation is
4248 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4249 // optional DNS subdomain prefix and '/' (e.g.
4250 // 'example.com/MyName')
4251 //
4252 // Required.
4253 "name"!: string
4254 }]
4255
4256 // Context defines variables and data sources that can be used
4257 // during rule execution.
4258 "context"?: [...matchN(1, [{
4259 "configMap"!: _
4260 }, {
4261 "apiCall"!: _
4262 }, {
4263 "imageRegistry"!: _
4264 }, {
4265 "variable"!: _
4266 }, {
4267 "globalReference"!: _
4268 }]) & {
4269 // APICall is an HTTP request to the Kubernetes API server, or
4270 // other JSON web service.
4271 // The data returned is stored in the context with the name for
4272 // the context entry.
4273 "apiCall"?: {
4274 // The data object specifies the POST data sent to the server.
4275 // Only applicable when the method field is set to POST.
4276 "data"?: [...{
4277 // Key is a unique identifier for the data value
4278 "key"!: string
4279
4280 // Value is the data value
4281 "value"!: null | bool | number | string | [...] | {
4282 ...
4283 }
4284 }]
4285
4286 // Default is an optional arbitrary JSON object that the context
4287 // value is set to, if the apiCall returns error.
4288 "default"?: null | bool | number | string | [...] | {
4289 ...
4290 }
4291
4292 // JMESPath is an optional JSON Match Expression that can be used
4293 // to
4294 // transform the JSON response returned from the server. For
4295 // example
4296 // a JMESPath of "items | length(@)" applied to the API server
4297 // response
4298 // for the URLPath "/apis/apps/v1/deployments" will return the
4299 // total count
4300 // of deployments across all namespaces.
4301 "jmesPath"?: string
4302
4303 // Method is the HTTP request type (GET or POST). Defaults to GET.
4304 "method"?: "GET" | "POST"
4305
4306 // Service is an API call to a JSON web service.
4307 // This is used for non-Kubernetes API server calls.
4308 // It's mutually exclusive with the URLPath field.
4309 "service"?: {
4310 // CABundle is a PEM encoded CA bundle which will be used to
4311 // validate
4312 // the server certificate.
4313 "caBundle"?: string
4314
4315 // Headers is a list of optional HTTP headers to be included in
4316 // the request.
4317 "headers"?: [...{
4318 // Key is the header key
4319 "key"!: string
4320
4321 // Value is the header value
4322 "value"!: string
4323 }]
4324
4325 // URL is the JSON web service URL. A typical form is
4326 // `https://{service}.{namespace}:{port}/{path}`.
4327 "url"!: string
4328 }
4329
4330 // URLPath is the URL path to be used in the HTTP GET or POST
4331 // request to the
4332 // Kubernetes API server (e.g. "/api/v1/namespaces" or
4333 // "/apis/apps/v1/deployments").
4334 // The format required is the same format used by the `kubectl get
4335 // --raw` command.
4336 // See
4337 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4338 // for details.
4339 // It's mutually exclusive with the Service field.
4340 "urlPath"?: string
4341 }
4342
4343 // ConfigMap is the ConfigMap reference.
4344 "configMap"?: {
4345 // Name is the ConfigMap name.
4346 "name"!: string
4347
4348 // Namespace is the ConfigMap namespace.
4349 "namespace"?: string
4350 }
4351
4352 // GlobalContextEntryReference is a reference to a cached global
4353 // context entry.
4354 "globalReference"?: {
4355 // JMESPath is an optional JSON Match Expression that can be used
4356 // to
4357 // transform the JSON response returned from the server. For
4358 // example
4359 // a JMESPath of "items | length(@)" applied to the API server
4360 // response
4361 // for the URLPath "/apis/apps/v1/deployments" will return the
4362 // total count
4363 // of deployments across all namespaces.
4364 "jmesPath"?: string
4365
4366 // Name of the global context entry
4367 "name"!: string
4368 }
4369
4370 // ImageRegistry defines requests to an OCI/Docker V2 registry to
4371 // fetch image
4372 // details.
4373 "imageRegistry"?: {
4374 // ImageRegistryCredentials provides credentials that will be used
4375 // for authentication with registry
4376 "imageRegistryCredentials"?: {
4377 // AllowInsecureRegistry allows insecure access to a registry.
4378 "allowInsecureRegistry"?: bool
4379
4380 // Providers specifies a list of OCI Registry names, whose
4381 // authentication providers are provided.
4382 // It can be of one of these values:
4383 // default,google,azure,amazon,github.
4384 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4385
4386 // Secrets specifies a list of secrets that are provided for
4387 // credentials.
4388 // Secrets must live in the Kyverno namespace.
4389 "secrets"?: [...string]
4390 }
4391
4392 // JMESPath is an optional JSON Match Expression that can be used
4393 // to
4394 // transform the ImageData struct returned as a result of
4395 // processing
4396 // the image reference.
4397 "jmesPath"?: string
4398
4399 // Reference is image reference to a container image in the
4400 // registry.
4401 // Example: ghcr.io/kyverno/kyverno:latest
4402 "reference"!: string
4403 }
4404
4405 // Name is the variable name.
4406 "name"!: string
4407
4408 // Variable defines an arbitrary JMESPath context variable that
4409 // can be defined inline.
4410 "variable"?: {
4411 // Default is an optional arbitrary JSON object that the variable
4412 // may take if the JMESPath
4413 // expression evaluates to nil
4414 "default"?: null | bool | number | string | [...] | {
4415 ...
4416 }
4417
4418 // JMESPath is an optional JMESPath Expression that can be used to
4419 // transform the variable.
4420 "jmesPath"?: string
4421
4422 // Value is any arbitrary JSON object representable in YAML or
4423 // JSON form.
4424 "value"?: null | bool | number | string | [...] | {
4425 ...
4426 }
4427 }
4428 }]
4429
4430 // ExcludeResources defines when this policy rule should not be
4431 // applied. The exclude
4432 // criteria can include resource information (e.g. kind, name,
4433 // namespace, labels)
4434 // and admission review request information like the name or role.
4435 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
4436 "any"!: _
4437 "all"!: _
4438 }]) & {
4439 // All allows specifying resources which will be ANDed
4440 "all"?: [...{
4441 // ClusterRoles is the list of cluster-wide role names for the
4442 // user.
4443 "clusterRoles"?: [...string]
4444
4445 // ResourceDescription contains information about the resource
4446 // being created or modified.
4447 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4448 "name"!: _
4449 "names"!: _
4450 }]) & {
4451 // Annotations is a map of annotations (key-value pairs of type
4452 // string). Annotation keys
4453 // and values support the wildcard characters "*" (matches zero or
4454 // many characters) and
4455 // "?" (matches at least one character).
4456 "annotations"?: [string]: string
4457
4458 // Kinds is a list of resource kinds.
4459 "kinds"?: [...string]
4460
4461 // Name is the name of the resource. The name supports wildcard
4462 // characters
4463 // "*" (matches zero or many characters) and "?" (at least one
4464 // character).
4465 // NOTE: "Name" is being deprecated in favor of "Names".
4466 "name"?: string
4467
4468 // Names are the names of the resources. Each name supports
4469 // wildcard characters
4470 // "*" (matches zero or many characters) and "?" (at least one
4471 // character).
4472 "names"?: [...string]
4473
4474 // NamespaceSelector is a label selector for the resource
4475 // namespace. Label keys and values
4476 // in `matchLabels` support the wildcard characters `*` (matches
4477 // zero or many characters)
4478 // and `?` (matches one character).Wildcards allows writing label
4479 // selectors like
4480 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4481 // any key and value but
4482 // does not match an empty label set.
4483 "namespaceSelector"?: {
4484 // matchExpressions is a list of label selector requirements. The
4485 // requirements are ANDed.
4486 "matchExpressions"?: [...{
4487 // key is the label key that the selector applies to.
4488 "key"!: string
4489
4490 // operator represents a key's relationship to a set of values.
4491 // Valid operators are In, NotIn, Exists and DoesNotExist.
4492 "operator"!: string
4493
4494 // values is an array of string values. If the operator is In or
4495 // NotIn,
4496 // the values array must be non-empty. If the operator is Exists
4497 // or DoesNotExist,
4498 // the values array must be empty. This array is replaced during a
4499 // strategic
4500 // merge patch.
4501 "values"?: [...string]
4502 }]
4503
4504 // matchLabels is a map of {key,value} pairs. A single {key,value}
4505 // in the matchLabels
4506 // map is equivalent to an element of matchExpressions, whose key
4507 // field is "key", the
4508 // operator is "In", and the values array contains only "value".
4509 // The requirements are ANDed.
4510 "matchLabels"?: {
4511 [string]: string
4512 }
4513 }
4514
4515 // Namespaces is a list of namespaces names. Each name supports
4516 // wildcard characters
4517 // "*" (matches zero or many characters) and "?" (at least one
4518 // character).
4519 "namespaces"?: [...string]
4520
4521 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4522 // "DELETE"], which are used to match a specific action.
4523 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4524
4525 // Selector is a label selector. Label keys and values in
4526 // `matchLabels` support the wildcard
4527 // characters `*` (matches zero or many characters) and `?`
4528 // (matches one character).
4529 // Wildcards allows writing label selectors like
4530 // ["storage.k8s.io/*": "*"]. Note that
4531 // using ["*" : "*"] matches any key and value but does not match
4532 // an empty label set.
4533 "selector"?: {
4534 // matchExpressions is a list of label selector requirements. The
4535 // requirements are ANDed.
4536 "matchExpressions"?: [...{
4537 // key is the label key that the selector applies to.
4538 "key"!: string
4539
4540 // operator represents a key's relationship to a set of values.
4541 // Valid operators are In, NotIn, Exists and DoesNotExist.
4542 "operator"!: string
4543
4544 // values is an array of string values. If the operator is In or
4545 // NotIn,
4546 // the values array must be non-empty. If the operator is Exists
4547 // or DoesNotExist,
4548 // the values array must be empty. This array is replaced during a
4549 // strategic
4550 // merge patch.
4551 "values"?: [...string]
4552 }]
4553
4554 // matchLabels is a map of {key,value} pairs. A single {key,value}
4555 // in the matchLabels
4556 // map is equivalent to an element of matchExpressions, whose key
4557 // field is "key", the
4558 // operator is "In", and the values array contains only "value".
4559 // The requirements are ANDed.
4560 "matchLabels"?: {
4561 [string]: string
4562 }
4563 }
4564 }
4565
4566 // Roles is the list of namespaced role names for the user.
4567 "roles"?: [...string]
4568
4569 // Subjects is the list of subject names like users, user groups,
4570 // and service accounts.
4571 "subjects"?: [...{
4572 // APIGroup holds the API group of the referenced subject.
4573 // Defaults to "" for ServiceAccount subjects.
4574 // Defaults to "rbac.authorization.k8s.io" for User and Group
4575 // subjects.
4576 "apiGroup"?: string
4577
4578 // Kind of object being referenced. Values defined by this API
4579 // group are "User", "Group", and "ServiceAccount".
4580 // If the Authorizer does not recognized the kind value, the
4581 // Authorizer should report an error.
4582 "kind"!: string
4583
4584 // Name of the object being referenced.
4585 "name"!: string
4586
4587 // Namespace of the referenced object. If the object kind is
4588 // non-namespace, such as "User" or "Group", and this value is
4589 // not empty
4590 // the Authorizer should report an error.
4591 "namespace"?: string
4592 }]
4593 }]
4594
4595 // Any allows specifying resources which will be ORed
4596 "any"?: [...{
4597 // ClusterRoles is the list of cluster-wide role names for the
4598 // user.
4599 "clusterRoles"?: [...string]
4600
4601 // ResourceDescription contains information about the resource
4602 // being created or modified.
4603 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4604 "name"!: _
4605 "names"!: _
4606 }]) & {
4607 // Annotations is a map of annotations (key-value pairs of type
4608 // string). Annotation keys
4609 // and values support the wildcard characters "*" (matches zero or
4610 // many characters) and
4611 // "?" (matches at least one character).
4612 "annotations"?: [string]: string
4613
4614 // Kinds is a list of resource kinds.
4615 "kinds"?: [...string]
4616
4617 // Name is the name of the resource. The name supports wildcard
4618 // characters
4619 // "*" (matches zero or many characters) and "?" (at least one
4620 // character).
4621 // NOTE: "Name" is being deprecated in favor of "Names".
4622 "name"?: string
4623
4624 // Names are the names of the resources. Each name supports
4625 // wildcard characters
4626 // "*" (matches zero or many characters) and "?" (at least one
4627 // character).
4628 "names"?: [...string]
4629
4630 // NamespaceSelector is a label selector for the resource
4631 // namespace. Label keys and values
4632 // in `matchLabels` support the wildcard characters `*` (matches
4633 // zero or many characters)
4634 // and `?` (matches one character).Wildcards allows writing label
4635 // selectors like
4636 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4637 // any key and value but
4638 // does not match an empty label set.
4639 "namespaceSelector"?: {
4640 // matchExpressions is a list of label selector requirements. The
4641 // requirements are ANDed.
4642 "matchExpressions"?: [...{
4643 // key is the label key that the selector applies to.
4644 "key"!: string
4645
4646 // operator represents a key's relationship to a set of values.
4647 // Valid operators are In, NotIn, Exists and DoesNotExist.
4648 "operator"!: string
4649
4650 // values is an array of string values. If the operator is In or
4651 // NotIn,
4652 // the values array must be non-empty. If the operator is Exists
4653 // or DoesNotExist,
4654 // the values array must be empty. This array is replaced during a
4655 // strategic
4656 // merge patch.
4657 "values"?: [...string]
4658 }]
4659
4660 // matchLabels is a map of {key,value} pairs. A single {key,value}
4661 // in the matchLabels
4662 // map is equivalent to an element of matchExpressions, whose key
4663 // field is "key", the
4664 // operator is "In", and the values array contains only "value".
4665 // The requirements are ANDed.
4666 "matchLabels"?: {
4667 [string]: string
4668 }
4669 }
4670
4671 // Namespaces is a list of namespaces names. Each name supports
4672 // wildcard characters
4673 // "*" (matches zero or many characters) and "?" (at least one
4674 // character).
4675 "namespaces"?: [...string]
4676
4677 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4678 // "DELETE"], which are used to match a specific action.
4679 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4680
4681 // Selector is a label selector. Label keys and values in
4682 // `matchLabels` support the wildcard
4683 // characters `*` (matches zero or many characters) and `?`
4684 // (matches one character).
4685 // Wildcards allows writing label selectors like
4686 // ["storage.k8s.io/*": "*"]. Note that
4687 // using ["*" : "*"] matches any key and value but does not match
4688 // an empty label set.
4689 "selector"?: {
4690 // matchExpressions is a list of label selector requirements. The
4691 // requirements are ANDed.
4692 "matchExpressions"?: [...{
4693 // key is the label key that the selector applies to.
4694 "key"!: string
4695
4696 // operator represents a key's relationship to a set of values.
4697 // Valid operators are In, NotIn, Exists and DoesNotExist.
4698 "operator"!: string
4699
4700 // values is an array of string values. If the operator is In or
4701 // NotIn,
4702 // the values array must be non-empty. If the operator is Exists
4703 // or DoesNotExist,
4704 // the values array must be empty. This array is replaced during a
4705 // strategic
4706 // merge patch.
4707 "values"?: [...string]
4708 }]
4709
4710 // matchLabels is a map of {key,value} pairs. A single {key,value}
4711 // in the matchLabels
4712 // map is equivalent to an element of matchExpressions, whose key
4713 // field is "key", the
4714 // operator is "In", and the values array contains only "value".
4715 // The requirements are ANDed.
4716 "matchLabels"?: {
4717 [string]: string
4718 }
4719 }
4720 }
4721
4722 // Roles is the list of namespaced role names for the user.
4723 "roles"?: [...string]
4724
4725 // Subjects is the list of subject names like users, user groups,
4726 // and service accounts.
4727 "subjects"?: [...{
4728 // APIGroup holds the API group of the referenced subject.
4729 // Defaults to "" for ServiceAccount subjects.
4730 // Defaults to "rbac.authorization.k8s.io" for User and Group
4731 // subjects.
4732 "apiGroup"?: string
4733
4734 // Kind of object being referenced. Values defined by this API
4735 // group are "User", "Group", and "ServiceAccount".
4736 // If the Authorizer does not recognized the kind value, the
4737 // Authorizer should report an error.
4738 "kind"!: string
4739
4740 // Name of the object being referenced.
4741 "name"!: string
4742
4743 // Namespace of the referenced object. If the object kind is
4744 // non-namespace, such as "User" or "Group", and this value is
4745 // not empty
4746 // the Authorizer should report an error.
4747 "namespace"?: string
4748 }]
4749 }]
4750
4751 // ClusterRoles is the list of cluster-wide role names for the
4752 // user.
4753 "clusterRoles"?: [...string]
4754
4755 // ResourceDescription contains information about the resource
4756 // being created or modified.
4757 // Requires at least one tag to be specified when under
4758 // MatchResources.
4759 // Specifying ResourceDescription directly under match is being
4760 // deprecated.
4761 // Please specify under "any" or "all" instead.
4762 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4763 "name"!: _
4764 "names"!: _
4765 }]) & {
4766 // Annotations is a map of annotations (key-value pairs of type
4767 // string). Annotation keys
4768 // and values support the wildcard characters "*" (matches zero or
4769 // many characters) and
4770 // "?" (matches at least one character).
4771 "annotations"?: [string]: string
4772
4773 // Kinds is a list of resource kinds.
4774 "kinds"?: [...string]
4775
4776 // Name is the name of the resource. The name supports wildcard
4777 // characters
4778 // "*" (matches zero or many characters) and "?" (at least one
4779 // character).
4780 // NOTE: "Name" is being deprecated in favor of "Names".
4781 "name"?: string
4782
4783 // Names are the names of the resources. Each name supports
4784 // wildcard characters
4785 // "*" (matches zero or many characters) and "?" (at least one
4786 // character).
4787 "names"?: [...string]
4788
4789 // NamespaceSelector is a label selector for the resource
4790 // namespace. Label keys and values
4791 // in `matchLabels` support the wildcard characters `*` (matches
4792 // zero or many characters)
4793 // and `?` (matches one character).Wildcards allows writing label
4794 // selectors like
4795 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4796 // any key and value but
4797 // does not match an empty label set.
4798 "namespaceSelector"?: {
4799 // matchExpressions is a list of label selector requirements. The
4800 // requirements are ANDed.
4801 "matchExpressions"?: [...{
4802 // key is the label key that the selector applies to.
4803 "key"!: string
4804
4805 // operator represents a key's relationship to a set of values.
4806 // Valid operators are In, NotIn, Exists and DoesNotExist.
4807 "operator"!: string
4808
4809 // values is an array of string values. If the operator is In or
4810 // NotIn,
4811 // the values array must be non-empty. If the operator is Exists
4812 // or DoesNotExist,
4813 // the values array must be empty. This array is replaced during a
4814 // strategic
4815 // merge patch.
4816 "values"?: [...string]
4817 }]
4818
4819 // matchLabels is a map of {key,value} pairs. A single {key,value}
4820 // in the matchLabels
4821 // map is equivalent to an element of matchExpressions, whose key
4822 // field is "key", the
4823 // operator is "In", and the values array contains only "value".
4824 // The requirements are ANDed.
4825 "matchLabels"?: {
4826 [string]: string
4827 }
4828 }
4829
4830 // Namespaces is a list of namespaces names. Each name supports
4831 // wildcard characters
4832 // "*" (matches zero or many characters) and "?" (at least one
4833 // character).
4834 "namespaces"?: [...string]
4835
4836 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4837 // "DELETE"], which are used to match a specific action.
4838 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4839
4840 // Selector is a label selector. Label keys and values in
4841 // `matchLabels` support the wildcard
4842 // characters `*` (matches zero or many characters) and `?`
4843 // (matches one character).
4844 // Wildcards allows writing label selectors like
4845 // ["storage.k8s.io/*": "*"]. Note that
4846 // using ["*" : "*"] matches any key and value but does not match
4847 // an empty label set.
4848 "selector"?: {
4849 // matchExpressions is a list of label selector requirements. The
4850 // requirements are ANDed.
4851 "matchExpressions"?: [...{
4852 // key is the label key that the selector applies to.
4853 "key"!: string
4854
4855 // operator represents a key's relationship to a set of values.
4856 // Valid operators are In, NotIn, Exists and DoesNotExist.
4857 "operator"!: string
4858
4859 // values is an array of string values. If the operator is In or
4860 // NotIn,
4861 // the values array must be non-empty. If the operator is Exists
4862 // or DoesNotExist,
4863 // the values array must be empty. This array is replaced during a
4864 // strategic
4865 // merge patch.
4866 "values"?: [...string]
4867 }]
4868
4869 // matchLabels is a map of {key,value} pairs. A single {key,value}
4870 // in the matchLabels
4871 // map is equivalent to an element of matchExpressions, whose key
4872 // field is "key", the
4873 // operator is "In", and the values array contains only "value".
4874 // The requirements are ANDed.
4875 "matchLabels"?: {
4876 [string]: string
4877 }
4878 }
4879 }
4880
4881 // Roles is the list of namespaced role names for the user.
4882 "roles"?: [...string]
4883
4884 // Subjects is the list of subject names like users, user groups,
4885 // and service accounts.
4886 "subjects"?: [...{
4887 // APIGroup holds the API group of the referenced subject.
4888 // Defaults to "" for ServiceAccount subjects.
4889 // Defaults to "rbac.authorization.k8s.io" for User and Group
4890 // subjects.
4891 "apiGroup"?: string
4892
4893 // Kind of object being referenced. Values defined by this API
4894 // group are "User", "Group", and "ServiceAccount".
4895 // If the Authorizer does not recognized the kind value, the
4896 // Authorizer should report an error.
4897 "kind"!: string
4898
4899 // Name of the object being referenced.
4900 "name"!: string
4901
4902 // Namespace of the referenced object. If the object kind is
4903 // non-namespace, such as "User" or "Group", and this value is
4904 // not empty
4905 // the Authorizer should report an error.
4906 "namespace"?: string
4907 }]
4908 }
4909
4910 // Generation is used to create new resources.
4911 "generate"?: {
4912 // APIVersion specifies resource apiVersion.
4913 "apiVersion"?: string
4914
4915 // Clone specifies the source resource used to populate each
4916 // generated resource.
4917 // At most one of Data or Clone can be specified. If neither are
4918 // provided, the generated
4919 // resource will be created with default data only.
4920 "clone"?: {
4921 // Name specifies name of the resource.
4922 "name"?: string
4923
4924 // Namespace specifies source resource namespace.
4925 "namespace"?: string
4926 }
4927
4928 // CloneList specifies the list of source resource used to
4929 // populate each generated resource.
4930 "cloneList"?: {
4931 // Kinds is a list of resource kinds.
4932 "kinds"?: [...string]
4933
4934 // Namespace specifies source resource namespace.
4935 "namespace"?: string
4936
4937 // Selector is a label selector. Label keys and values in
4938 // `matchLabels`.
4939 // wildcard characters are not supported.
4940 "selector"?: {
4941 // matchExpressions is a list of label selector requirements. The
4942 // requirements are ANDed.
4943 "matchExpressions"?: [...{
4944 // key is the label key that the selector applies to.
4945 "key"!: string
4946
4947 // operator represents a key's relationship to a set of values.
4948 // Valid operators are In, NotIn, Exists and DoesNotExist.
4949 "operator"!: string
4950
4951 // values is an array of string values. If the operator is In or
4952 // NotIn,
4953 // the values array must be non-empty. If the operator is Exists
4954 // or DoesNotExist,
4955 // the values array must be empty. This array is replaced during a
4956 // strategic
4957 // merge patch.
4958 "values"?: [...string]
4959 }]
4960
4961 // matchLabels is a map of {key,value} pairs. A single {key,value}
4962 // in the matchLabels
4963 // map is equivalent to an element of matchExpressions, whose key
4964 // field is "key", the
4965 // operator is "In", and the values array contains only "value".
4966 // The requirements are ANDed.
4967 "matchLabels"?: {
4968 [string]: string
4969 }
4970 }
4971 }
4972
4973 // Data provides the resource declaration used to populate each
4974 // generated resource.
4975 // At most one of Data or Clone must be specified. If neither are
4976 // provided, the generated
4977 // resource will be created with default data only.
4978 "data"?: null | bool | number | string | [...] | {
4979 ...
4980 }
4981
4982 // ForEach applies generate rules to a list of sub-elements by
4983 // creating a context for each entry in the list and looping over
4984 // it to apply the specified logic.
4985 "foreach"?: [...{
4986 // APIVersion specifies resource apiVersion.
4987 "apiVersion"?: string
4988
4989 // Clone specifies the source resource used to populate each
4990 // generated resource.
4991 // At most one of Data or Clone can be specified. If neither are
4992 // provided, the generated
4993 // resource will be created with default data only.
4994 "clone"?: {
4995 // Name specifies name of the resource.
4996 "name"?: string
4997
4998 // Namespace specifies source resource namespace.
4999 "namespace"?: string
5000 }
5001
5002 // CloneList specifies the list of source resource used to
5003 // populate each generated resource.
5004 "cloneList"?: {
5005 // Kinds is a list of resource kinds.
5006 "kinds"?: [...string]
5007
5008 // Namespace specifies source resource namespace.
5009 "namespace"?: string
5010
5011 // Selector is a label selector. Label keys and values in
5012 // `matchLabels`.
5013 // wildcard characters are not supported.
5014 "selector"?: {
5015 // matchExpressions is a list of label selector requirements. The
5016 // requirements are ANDed.
5017 "matchExpressions"?: [...{
5018 // key is the label key that the selector applies to.
5019 "key"!: string
5020
5021 // operator represents a key's relationship to a set of values.
5022 // Valid operators are In, NotIn, Exists and DoesNotExist.
5023 "operator"!: string
5024
5025 // values is an array of string values. If the operator is In or
5026 // NotIn,
5027 // the values array must be non-empty. If the operator is Exists
5028 // or DoesNotExist,
5029 // the values array must be empty. This array is replaced during a
5030 // strategic
5031 // merge patch.
5032 "values"?: [...string]
5033 }]
5034
5035 // matchLabels is a map of {key,value} pairs. A single {key,value}
5036 // in the matchLabels
5037 // map is equivalent to an element of matchExpressions, whose key
5038 // field is "key", the
5039 // operator is "In", and the values array contains only "value".
5040 // The requirements are ANDed.
5041 "matchLabels"?: {
5042 [string]: string
5043 }
5044 }
5045 }
5046
5047 // Context defines variables and data sources that can be used
5048 // during rule execution.
5049 "context"?: [...matchN(1, [{
5050 "configMap"!: _
5051 }, {
5052 "apiCall"!: _
5053 }, {
5054 "imageRegistry"!: _
5055 }, {
5056 "variable"!: _
5057 }, {
5058 "globalReference"!: _
5059 }]) & {
5060 // APICall is an HTTP request to the Kubernetes API server, or
5061 // other JSON web service.
5062 // The data returned is stored in the context with the name for
5063 // the context entry.
5064 "apiCall"?: {
5065 // The data object specifies the POST data sent to the server.
5066 // Only applicable when the method field is set to POST.
5067 "data"?: [...{
5068 // Key is a unique identifier for the data value
5069 "key"!: string
5070
5071 // Value is the data value
5072 "value"!: null | bool | number | string | [...] | {
5073 ...
5074 }
5075 }]
5076
5077 // Default is an optional arbitrary JSON object that the context
5078 // value is set to, if the apiCall returns error.
5079 "default"?: null | bool | number | string | [...] | {
5080 ...
5081 }
5082
5083 // JMESPath is an optional JSON Match Expression that can be used
5084 // to
5085 // transform the JSON response returned from the server. For
5086 // example
5087 // a JMESPath of "items | length(@)" applied to the API server
5088 // response
5089 // for the URLPath "/apis/apps/v1/deployments" will return the
5090 // total count
5091 // of deployments across all namespaces.
5092 "jmesPath"?: string
5093
5094 // Method is the HTTP request type (GET or POST). Defaults to GET.
5095 "method"?: "GET" | "POST"
5096
5097 // Service is an API call to a JSON web service.
5098 // This is used for non-Kubernetes API server calls.
5099 // It's mutually exclusive with the URLPath field.
5100 "service"?: {
5101 // CABundle is a PEM encoded CA bundle which will be used to
5102 // validate
5103 // the server certificate.
5104 "caBundle"?: string
5105
5106 // Headers is a list of optional HTTP headers to be included in
5107 // the request.
5108 "headers"?: [...{
5109 // Key is the header key
5110 "key"!: string
5111
5112 // Value is the header value
5113 "value"!: string
5114 }]
5115
5116 // URL is the JSON web service URL. A typical form is
5117 // `https://{service}.{namespace}:{port}/{path}`.
5118 "url"!: string
5119 }
5120
5121 // URLPath is the URL path to be used in the HTTP GET or POST
5122 // request to the
5123 // Kubernetes API server (e.g. "/api/v1/namespaces" or
5124 // "/apis/apps/v1/deployments").
5125 // The format required is the same format used by the `kubectl get
5126 // --raw` command.
5127 // See
5128 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5129 // for details.
5130 // It's mutually exclusive with the Service field.
5131 "urlPath"?: string
5132 }
5133
5134 // ConfigMap is the ConfigMap reference.
5135 "configMap"?: {
5136 // Name is the ConfigMap name.
5137 "name"!: string
5138
5139 // Namespace is the ConfigMap namespace.
5140 "namespace"?: string
5141 }
5142
5143 // GlobalContextEntryReference is a reference to a cached global
5144 // context entry.
5145 "globalReference"?: {
5146 // JMESPath is an optional JSON Match Expression that can be used
5147 // to
5148 // transform the JSON response returned from the server. For
5149 // example
5150 // a JMESPath of "items | length(@)" applied to the API server
5151 // response
5152 // for the URLPath "/apis/apps/v1/deployments" will return the
5153 // total count
5154 // of deployments across all namespaces.
5155 "jmesPath"?: string
5156
5157 // Name of the global context entry
5158 "name"!: string
5159 }
5160
5161 // ImageRegistry defines requests to an OCI/Docker V2 registry to
5162 // fetch image
5163 // details.
5164 "imageRegistry"?: {
5165 // ImageRegistryCredentials provides credentials that will be used
5166 // for authentication with registry
5167 "imageRegistryCredentials"?: {
5168 // AllowInsecureRegistry allows insecure access to a registry.
5169 "allowInsecureRegistry"?: bool
5170
5171 // Providers specifies a list of OCI Registry names, whose
5172 // authentication providers are provided.
5173 // It can be of one of these values:
5174 // default,google,azure,amazon,github.
5175 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5176
5177 // Secrets specifies a list of secrets that are provided for
5178 // credentials.
5179 // Secrets must live in the Kyverno namespace.
5180 "secrets"?: [...string]
5181 }
5182
5183 // JMESPath is an optional JSON Match Expression that can be used
5184 // to
5185 // transform the ImageData struct returned as a result of
5186 // processing
5187 // the image reference.
5188 "jmesPath"?: string
5189
5190 // Reference is image reference to a container image in the
5191 // registry.
5192 // Example: ghcr.io/kyverno/kyverno:latest
5193 "reference"!: string
5194 }
5195
5196 // Name is the variable name.
5197 "name"!: string
5198
5199 // Variable defines an arbitrary JMESPath context variable that
5200 // can be defined inline.
5201 "variable"?: {
5202 // Default is an optional arbitrary JSON object that the variable
5203 // may take if the JMESPath
5204 // expression evaluates to nil
5205 "default"?: null | bool | number | string | [...] | {
5206 ...
5207 }
5208
5209 // JMESPath is an optional JMESPath Expression that can be used to
5210 // transform the variable.
5211 "jmesPath"?: string
5212
5213 // Value is any arbitrary JSON object representable in YAML or
5214 // JSON form.
5215 "value"?: null | bool | number | string | [...] | {
5216 ...
5217 }
5218 }
5219 }]
5220
5221 // Data provides the resource declaration used to populate each
5222 // generated resource.
5223 // At most one of Data or Clone must be specified. If neither are
5224 // provided, the generated
5225 // resource will be created with default data only.
5226 "data"?: null | bool | number | string | [...] | {
5227 ...
5228 }
5229
5230 // Kind specifies resource kind.
5231 "kind"?: string
5232
5233 // List specifies a JMESPath expression that results in one or
5234 // more elements
5235 // to which the validation logic is applied.
5236 "list"?: string
5237
5238 // Name specifies the resource name.
5239 "name"?: string
5240
5241 // Namespace specifies resource namespace.
5242 "namespace"?: string
5243
5244 // AnyAllConditions are used to determine if a policy rule should
5245 // be applied by evaluating a
5246 // set of conditions. The declaration can contain nested `any` or
5247 // `all` statements.
5248 // See: https://kyverno.io/docs/writing-policies/preconditions/
5249 "preconditions"?: {
5250 // AllConditions enable variable-based conditional rule execution.
5251 // This is useful for
5252 // finer control of when an rule is applied. A condition can
5253 // reference object data
5254 // using JMESPath notation.
5255 // Here, all of the conditions need to pass
5256 "all"?: [...{
5257 // Key is the context entry (using JMESPath) for conditional rule
5258 // evaluation.
5259 "key"?: null | bool | number | string | [...] | {
5260 ...
5261 }
5262
5263 // Message is an optional display message
5264 "message"?: string
5265
5266 // Operator is the conditional operation to perform. Valid
5267 // operators are:
5268 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5269 // GreaterThanOrEquals,
5270 // GreaterThan, LessThanOrEquals, LessThan,
5271 // DurationGreaterThanOrEquals, DurationGreaterThan,
5272 // DurationLessThanOrEquals, DurationLessThan
5273 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5274
5275 // Value is the conditional value, or set of values. The values
5276 // can be fixed set
5277 // or can be variables declared using JMESPath.
5278 "value"?: null | bool | number | string | [...] | {
5279 ...
5280 }
5281 }]
5282
5283 // AnyConditions enable variable-based conditional rule execution.
5284 // This is useful for
5285 // finer control of when an rule is applied. A condition can
5286 // reference object data
5287 // using JMESPath notation.
5288 // Here, at least one of the conditions need to pass
5289 "any"?: [...{
5290 // Key is the context entry (using JMESPath) for conditional rule
5291 // evaluation.
5292 "key"?: null | bool | number | string | [...] | {
5293 ...
5294 }
5295
5296 // Message is an optional display message
5297 "message"?: string
5298
5299 // Operator is the conditional operation to perform. Valid
5300 // operators are:
5301 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5302 // GreaterThanOrEquals,
5303 // GreaterThan, LessThanOrEquals, LessThan,
5304 // DurationGreaterThanOrEquals, DurationGreaterThan,
5305 // DurationLessThanOrEquals, DurationLessThan
5306 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5307
5308 // Value is the conditional value, or set of values. The values
5309 // can be fixed set
5310 // or can be variables declared using JMESPath.
5311 "value"?: null | bool | number | string | [...] | {
5312 ...
5313 }
5314 }]
5315 ...
5316 }
5317
5318 // UID specifies the resource uid.
5319 "uid"?: string
5320 }]
5321
5322 // GenerateExisting controls whether to trigger the rule in
5323 // existing resources
5324 // If is set to "true" the rule will be triggered and applied to
5325 // existing matched resources.
5326 "generateExisting"?: bool
5327
5328 // Kind specifies resource kind.
5329 "kind"?: string
5330
5331 // Name specifies the resource name.
5332 "name"?: string
5333
5334 // Namespace specifies resource namespace.
5335 "namespace"?: string
5336
5337 // OrphanDownstreamOnPolicyDelete controls whether generated
5338 // resources should be deleted when the rule that generated
5339 // them is deleted with synchronization enabled. This option is
5340 // only applicable to generate rules of the data type.
5341 // See
5342 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
5343 // Defaults to "false" if not specified.
5344 "orphanDownstreamOnPolicyDelete"?: bool
5345
5346 // Synchronize controls if generated resources should be kept
5347 // in-sync with their source resource.
5348 // If Synchronize is set to "true" changes to generated resources
5349 // will be overwritten with resource
5350 // data from Data or the resource specified in the Clone
5351 // declaration.
5352 // Optional. Defaults to "false" if not specified.
5353 "synchronize"?: bool
5354
5355 // UID specifies the resource uid.
5356 "uid"?: string
5357 }
5358
5359 // ImageExtractors defines a mapping from kinds to
5360 // ImageExtractorConfigs.
5361 // This config is only valid for verifyImages rules.
5362 "imageExtractors"?: {
5363 [string]: [...{
5364 // JMESPath is an optional JMESPath expression to apply to the
5365 // image value.
5366 // This is useful when the extracted image begins with a prefix
5367 // like 'docker://'.
5368 // The 'trim_prefix' function may be used to trim the prefix:
5369 // trim_prefix(@, 'docker://').
5370 // Note - Image digest mutation may not be used when applying a
5371 // JMESPAth to an image.
5372 "jmesPath"?: string
5373
5374 // Key is an optional name of the field within 'path' that will be
5375 // used to uniquely identify an image.
5376 // Note - this field MUST be unique.
5377 "key"?: string
5378
5379 // Name is the entry the image will be available under
5380 // 'images.<name>' in the context.
5381 // If this field is not defined, image entries will appear under
5382 // 'images.custom'.
5383 "name"?: string
5384
5385 // Path is the path to the object containing the image field in a
5386 // custom resource.
5387 // It should be slash-separated. Each slash-separated key must be
5388 // a valid YAML key or a wildcard '*'.
5389 // Wildcard keys are expanded in case of arrays or objects.
5390 "path"!: string
5391
5392 // Value is an optional name of the field within 'path' that
5393 // points to the image URI.
5394 // This is useful when a custom 'key' is also defined.
5395 "value"?: string
5396 }]
5397 }
5398
5399 // MatchResources defines when this policy rule should be applied.
5400 // The match
5401 // criteria can include resource information (e.g. kind, name,
5402 // namespace, labels)
5403 // and admission review request information like the user name or
5404 // role.
5405 // At least one kind is required.
5406 "match"!: matchN(0, [null | bool | number | string | [...] | {
5407 "any"!: _
5408 "all"!: _
5409 }]) & {
5410 // All allows specifying resources which will be ANDed
5411 "all"?: [...{
5412 // ClusterRoles is the list of cluster-wide role names for the
5413 // user.
5414 "clusterRoles"?: [...string]
5415
5416 // ResourceDescription contains information about the resource
5417 // being created or modified.
5418 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5419 "name"!: _
5420 "names"!: _
5421 }]) & {
5422 // Annotations is a map of annotations (key-value pairs of type
5423 // string). Annotation keys
5424 // and values support the wildcard characters "*" (matches zero or
5425 // many characters) and
5426 // "?" (matches at least one character).
5427 "annotations"?: [string]: string
5428
5429 // Kinds is a list of resource kinds.
5430 "kinds"?: [...string]
5431
5432 // Name is the name of the resource. The name supports wildcard
5433 // characters
5434 // "*" (matches zero or many characters) and "?" (at least one
5435 // character).
5436 // NOTE: "Name" is being deprecated in favor of "Names".
5437 "name"?: string
5438
5439 // Names are the names of the resources. Each name supports
5440 // wildcard characters
5441 // "*" (matches zero or many characters) and "?" (at least one
5442 // character).
5443 "names"?: [...string]
5444
5445 // NamespaceSelector is a label selector for the resource
5446 // namespace. Label keys and values
5447 // in `matchLabels` support the wildcard characters `*` (matches
5448 // zero or many characters)
5449 // and `?` (matches one character).Wildcards allows writing label
5450 // selectors like
5451 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5452 // any key and value but
5453 // does not match an empty label set.
5454 "namespaceSelector"?: {
5455 // matchExpressions is a list of label selector requirements. The
5456 // requirements are ANDed.
5457 "matchExpressions"?: [...{
5458 // key is the label key that the selector applies to.
5459 "key"!: string
5460
5461 // operator represents a key's relationship to a set of values.
5462 // Valid operators are In, NotIn, Exists and DoesNotExist.
5463 "operator"!: string
5464
5465 // values is an array of string values. If the operator is In or
5466 // NotIn,
5467 // the values array must be non-empty. If the operator is Exists
5468 // or DoesNotExist,
5469 // the values array must be empty. This array is replaced during a
5470 // strategic
5471 // merge patch.
5472 "values"?: [...string]
5473 }]
5474
5475 // matchLabels is a map of {key,value} pairs. A single {key,value}
5476 // in the matchLabels
5477 // map is equivalent to an element of matchExpressions, whose key
5478 // field is "key", the
5479 // operator is "In", and the values array contains only "value".
5480 // The requirements are ANDed.
5481 "matchLabels"?: {
5482 [string]: string
5483 }
5484 }
5485
5486 // Namespaces is a list of namespaces names. Each name supports
5487 // wildcard characters
5488 // "*" (matches zero or many characters) and "?" (at least one
5489 // character).
5490 "namespaces"?: [...string]
5491
5492 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5493 // "DELETE"], which are used to match a specific action.
5494 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5495
5496 // Selector is a label selector. Label keys and values in
5497 // `matchLabels` support the wildcard
5498 // characters `*` (matches zero or many characters) and `?`
5499 // (matches one character).
5500 // Wildcards allows writing label selectors like
5501 // ["storage.k8s.io/*": "*"]. Note that
5502 // using ["*" : "*"] matches any key and value but does not match
5503 // an empty label set.
5504 "selector"?: {
5505 // matchExpressions is a list of label selector requirements. The
5506 // requirements are ANDed.
5507 "matchExpressions"?: [...{
5508 // key is the label key that the selector applies to.
5509 "key"!: string
5510
5511 // operator represents a key's relationship to a set of values.
5512 // Valid operators are In, NotIn, Exists and DoesNotExist.
5513 "operator"!: string
5514
5515 // values is an array of string values. If the operator is In or
5516 // NotIn,
5517 // the values array must be non-empty. If the operator is Exists
5518 // or DoesNotExist,
5519 // the values array must be empty. This array is replaced during a
5520 // strategic
5521 // merge patch.
5522 "values"?: [...string]
5523 }]
5524
5525 // matchLabels is a map of {key,value} pairs. A single {key,value}
5526 // in the matchLabels
5527 // map is equivalent to an element of matchExpressions, whose key
5528 // field is "key", the
5529 // operator is "In", and the values array contains only "value".
5530 // The requirements are ANDed.
5531 "matchLabels"?: {
5532 [string]: string
5533 }
5534 }
5535 }
5536
5537 // Roles is the list of namespaced role names for the user.
5538 "roles"?: [...string]
5539
5540 // Subjects is the list of subject names like users, user groups,
5541 // and service accounts.
5542 "subjects"?: [...{
5543 // APIGroup holds the API group of the referenced subject.
5544 // Defaults to "" for ServiceAccount subjects.
5545 // Defaults to "rbac.authorization.k8s.io" for User and Group
5546 // subjects.
5547 "apiGroup"?: string
5548
5549 // Kind of object being referenced. Values defined by this API
5550 // group are "User", "Group", and "ServiceAccount".
5551 // If the Authorizer does not recognized the kind value, the
5552 // Authorizer should report an error.
5553 "kind"!: string
5554
5555 // Name of the object being referenced.
5556 "name"!: string
5557
5558 // Namespace of the referenced object. If the object kind is
5559 // non-namespace, such as "User" or "Group", and this value is
5560 // not empty
5561 // the Authorizer should report an error.
5562 "namespace"?: string
5563 }]
5564 }]
5565
5566 // Any allows specifying resources which will be ORed
5567 "any"?: [...{
5568 // ClusterRoles is the list of cluster-wide role names for the
5569 // user.
5570 "clusterRoles"?: [...string]
5571
5572 // ResourceDescription contains information about the resource
5573 // being created or modified.
5574 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5575 "name"!: _
5576 "names"!: _
5577 }]) & {
5578 // Annotations is a map of annotations (key-value pairs of type
5579 // string). Annotation keys
5580 // and values support the wildcard characters "*" (matches zero or
5581 // many characters) and
5582 // "?" (matches at least one character).
5583 "annotations"?: [string]: string
5584
5585 // Kinds is a list of resource kinds.
5586 "kinds"?: [...string]
5587
5588 // Name is the name of the resource. The name supports wildcard
5589 // characters
5590 // "*" (matches zero or many characters) and "?" (at least one
5591 // character).
5592 // NOTE: "Name" is being deprecated in favor of "Names".
5593 "name"?: string
5594
5595 // Names are the names of the resources. Each name supports
5596 // wildcard characters
5597 // "*" (matches zero or many characters) and "?" (at least one
5598 // character).
5599 "names"?: [...string]
5600
5601 // NamespaceSelector is a label selector for the resource
5602 // namespace. Label keys and values
5603 // in `matchLabels` support the wildcard characters `*` (matches
5604 // zero or many characters)
5605 // and `?` (matches one character).Wildcards allows writing label
5606 // selectors like
5607 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5608 // any key and value but
5609 // does not match an empty label set.
5610 "namespaceSelector"?: {
5611 // matchExpressions is a list of label selector requirements. The
5612 // requirements are ANDed.
5613 "matchExpressions"?: [...{
5614 // key is the label key that the selector applies to.
5615 "key"!: string
5616
5617 // operator represents a key's relationship to a set of values.
5618 // Valid operators are In, NotIn, Exists and DoesNotExist.
5619 "operator"!: string
5620
5621 // values is an array of string values. If the operator is In or
5622 // NotIn,
5623 // the values array must be non-empty. If the operator is Exists
5624 // or DoesNotExist,
5625 // the values array must be empty. This array is replaced during a
5626 // strategic
5627 // merge patch.
5628 "values"?: [...string]
5629 }]
5630
5631 // matchLabels is a map of {key,value} pairs. A single {key,value}
5632 // in the matchLabels
5633 // map is equivalent to an element of matchExpressions, whose key
5634 // field is "key", the
5635 // operator is "In", and the values array contains only "value".
5636 // The requirements are ANDed.
5637 "matchLabels"?: {
5638 [string]: string
5639 }
5640 }
5641
5642 // Namespaces is a list of namespaces names. Each name supports
5643 // wildcard characters
5644 // "*" (matches zero or many characters) and "?" (at least one
5645 // character).
5646 "namespaces"?: [...string]
5647
5648 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5649 // "DELETE"], which are used to match a specific action.
5650 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5651
5652 // Selector is a label selector. Label keys and values in
5653 // `matchLabels` support the wildcard
5654 // characters `*` (matches zero or many characters) and `?`
5655 // (matches one character).
5656 // Wildcards allows writing label selectors like
5657 // ["storage.k8s.io/*": "*"]. Note that
5658 // using ["*" : "*"] matches any key and value but does not match
5659 // an empty label set.
5660 "selector"?: {
5661 // matchExpressions is a list of label selector requirements. The
5662 // requirements are ANDed.
5663 "matchExpressions"?: [...{
5664 // key is the label key that the selector applies to.
5665 "key"!: string
5666
5667 // operator represents a key's relationship to a set of values.
5668 // Valid operators are In, NotIn, Exists and DoesNotExist.
5669 "operator"!: string
5670
5671 // values is an array of string values. If the operator is In or
5672 // NotIn,
5673 // the values array must be non-empty. If the operator is Exists
5674 // or DoesNotExist,
5675 // the values array must be empty. This array is replaced during a
5676 // strategic
5677 // merge patch.
5678 "values"?: [...string]
5679 }]
5680
5681 // matchLabels is a map of {key,value} pairs. A single {key,value}
5682 // in the matchLabels
5683 // map is equivalent to an element of matchExpressions, whose key
5684 // field is "key", the
5685 // operator is "In", and the values array contains only "value".
5686 // The requirements are ANDed.
5687 "matchLabels"?: {
5688 [string]: string
5689 }
5690 }
5691 }
5692
5693 // Roles is the list of namespaced role names for the user.
5694 "roles"?: [...string]
5695
5696 // Subjects is the list of subject names like users, user groups,
5697 // and service accounts.
5698 "subjects"?: [...{
5699 // APIGroup holds the API group of the referenced subject.
5700 // Defaults to "" for ServiceAccount subjects.
5701 // Defaults to "rbac.authorization.k8s.io" for User and Group
5702 // subjects.
5703 "apiGroup"?: string
5704
5705 // Kind of object being referenced. Values defined by this API
5706 // group are "User", "Group", and "ServiceAccount".
5707 // If the Authorizer does not recognized the kind value, the
5708 // Authorizer should report an error.
5709 "kind"!: string
5710
5711 // Name of the object being referenced.
5712 "name"!: string
5713
5714 // Namespace of the referenced object. If the object kind is
5715 // non-namespace, such as "User" or "Group", and this value is
5716 // not empty
5717 // the Authorizer should report an error.
5718 "namespace"?: string
5719 }]
5720 }]
5721
5722 // ClusterRoles is the list of cluster-wide role names for the
5723 // user.
5724 "clusterRoles"?: [...string]
5725
5726 // ResourceDescription contains information about the resource
5727 // being created or modified.
5728 // Requires at least one tag to be specified when under
5729 // MatchResources.
5730 // Specifying ResourceDescription directly under match is being
5731 // deprecated.
5732 // Please specify under "any" or "all" instead.
5733 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5734 "name"!: _
5735 "names"!: _
5736 }]) & {
5737 // Annotations is a map of annotations (key-value pairs of type
5738 // string). Annotation keys
5739 // and values support the wildcard characters "*" (matches zero or
5740 // many characters) and
5741 // "?" (matches at least one character).
5742 "annotations"?: [string]: string
5743
5744 // Kinds is a list of resource kinds.
5745 "kinds"?: [...string]
5746
5747 // Name is the name of the resource. The name supports wildcard
5748 // characters
5749 // "*" (matches zero or many characters) and "?" (at least one
5750 // character).
5751 // NOTE: "Name" is being deprecated in favor of "Names".
5752 "name"?: string
5753
5754 // Names are the names of the resources. Each name supports
5755 // wildcard characters
5756 // "*" (matches zero or many characters) and "?" (at least one
5757 // character).
5758 "names"?: [...string]
5759
5760 // NamespaceSelector is a label selector for the resource
5761 // namespace. Label keys and values
5762 // in `matchLabels` support the wildcard characters `*` (matches
5763 // zero or many characters)
5764 // and `?` (matches one character).Wildcards allows writing label
5765 // selectors like
5766 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5767 // any key and value but
5768 // does not match an empty label set.
5769 "namespaceSelector"?: {
5770 // matchExpressions is a list of label selector requirements. The
5771 // requirements are ANDed.
5772 "matchExpressions"?: [...{
5773 // key is the label key that the selector applies to.
5774 "key"!: string
5775
5776 // operator represents a key's relationship to a set of values.
5777 // Valid operators are In, NotIn, Exists and DoesNotExist.
5778 "operator"!: string
5779
5780 // values is an array of string values. If the operator is In or
5781 // NotIn,
5782 // the values array must be non-empty. If the operator is Exists
5783 // or DoesNotExist,
5784 // the values array must be empty. This array is replaced during a
5785 // strategic
5786 // merge patch.
5787 "values"?: [...string]
5788 }]
5789
5790 // matchLabels is a map of {key,value} pairs. A single {key,value}
5791 // in the matchLabels
5792 // map is equivalent to an element of matchExpressions, whose key
5793 // field is "key", the
5794 // operator is "In", and the values array contains only "value".
5795 // The requirements are ANDed.
5796 "matchLabels"?: {
5797 [string]: string
5798 }
5799 }
5800
5801 // Namespaces is a list of namespaces names. Each name supports
5802 // wildcard characters
5803 // "*" (matches zero or many characters) and "?" (at least one
5804 // character).
5805 "namespaces"?: [...string]
5806
5807 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5808 // "DELETE"], which are used to match a specific action.
5809 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5810
5811 // Selector is a label selector. Label keys and values in
5812 // `matchLabels` support the wildcard
5813 // characters `*` (matches zero or many characters) and `?`
5814 // (matches one character).
5815 // Wildcards allows writing label selectors like
5816 // ["storage.k8s.io/*": "*"]. Note that
5817 // using ["*" : "*"] matches any key and value but does not match
5818 // an empty label set.
5819 "selector"?: {
5820 // matchExpressions is a list of label selector requirements. The
5821 // requirements are ANDed.
5822 "matchExpressions"?: [...{
5823 // key is the label key that the selector applies to.
5824 "key"!: string
5825
5826 // operator represents a key's relationship to a set of values.
5827 // Valid operators are In, NotIn, Exists and DoesNotExist.
5828 "operator"!: string
5829
5830 // values is an array of string values. If the operator is In or
5831 // NotIn,
5832 // the values array must be non-empty. If the operator is Exists
5833 // or DoesNotExist,
5834 // the values array must be empty. This array is replaced during a
5835 // strategic
5836 // merge patch.
5837 "values"?: [...string]
5838 }]
5839
5840 // matchLabels is a map of {key,value} pairs. A single {key,value}
5841 // in the matchLabels
5842 // map is equivalent to an element of matchExpressions, whose key
5843 // field is "key", the
5844 // operator is "In", and the values array contains only "value".
5845 // The requirements are ANDed.
5846 "matchLabels"?: {
5847 [string]: string
5848 }
5849 }
5850 }
5851
5852 // Roles is the list of namespaced role names for the user.
5853 "roles"?: [...string]
5854
5855 // Subjects is the list of subject names like users, user groups,
5856 // and service accounts.
5857 "subjects"?: [...{
5858 // APIGroup holds the API group of the referenced subject.
5859 // Defaults to "" for ServiceAccount subjects.
5860 // Defaults to "rbac.authorization.k8s.io" for User and Group
5861 // subjects.
5862 "apiGroup"?: string
5863
5864 // Kind of object being referenced. Values defined by this API
5865 // group are "User", "Group", and "ServiceAccount".
5866 // If the Authorizer does not recognized the kind value, the
5867 // Authorizer should report an error.
5868 "kind"!: string
5869
5870 // Name of the object being referenced.
5871 "name"!: string
5872
5873 // Namespace of the referenced object. If the object kind is
5874 // non-namespace, such as "User" or "Group", and this value is
5875 // not empty
5876 // the Authorizer should report an error.
5877 "namespace"?: string
5878 }]
5879 }
5880
5881 // Mutation is used to modify matching resources.
5882 "mutate"?: {
5883 // ForEach applies mutation rules to a list of sub-elements by
5884 // creating a context for each entry in the list and looping over
5885 // it to apply the specified logic.
5886 "foreach"?: [...{
5887 // Context defines variables and data sources that can be used
5888 // during rule execution.
5889 "context"?: [...matchN(1, [{
5890 "configMap"!: _
5891 }, {
5892 "apiCall"!: _
5893 }, {
5894 "imageRegistry"!: _
5895 }, {
5896 "variable"!: _
5897 }, {
5898 "globalReference"!: _
5899 }]) & {
5900 // APICall is an HTTP request to the Kubernetes API server, or
5901 // other JSON web service.
5902 // The data returned is stored in the context with the name for
5903 // the context entry.
5904 "apiCall"?: {
5905 // The data object specifies the POST data sent to the server.
5906 // Only applicable when the method field is set to POST.
5907 "data"?: [...{
5908 // Key is a unique identifier for the data value
5909 "key"!: string
5910
5911 // Value is the data value
5912 "value"!: null | bool | number | string | [...] | {
5913 ...
5914 }
5915 }]
5916
5917 // Default is an optional arbitrary JSON object that the context
5918 // value is set to, if the apiCall returns error.
5919 "default"?: null | bool | number | string | [...] | {
5920 ...
5921 }
5922
5923 // JMESPath is an optional JSON Match Expression that can be used
5924 // to
5925 // transform the JSON response returned from the server. For
5926 // example
5927 // a JMESPath of "items | length(@)" applied to the API server
5928 // response
5929 // for the URLPath "/apis/apps/v1/deployments" will return the
5930 // total count
5931 // of deployments across all namespaces.
5932 "jmesPath"?: string
5933
5934 // Method is the HTTP request type (GET or POST). Defaults to GET.
5935 "method"?: "GET" | "POST"
5936
5937 // Service is an API call to a JSON web service.
5938 // This is used for non-Kubernetes API server calls.
5939 // It's mutually exclusive with the URLPath field.
5940 "service"?: {
5941 // CABundle is a PEM encoded CA bundle which will be used to
5942 // validate
5943 // the server certificate.
5944 "caBundle"?: string
5945
5946 // Headers is a list of optional HTTP headers to be included in
5947 // the request.
5948 "headers"?: [...{
5949 // Key is the header key
5950 "key"!: string
5951
5952 // Value is the header value
5953 "value"!: string
5954 }]
5955
5956 // URL is the JSON web service URL. A typical form is
5957 // `https://{service}.{namespace}:{port}/{path}`.
5958 "url"!: string
5959 }
5960
5961 // URLPath is the URL path to be used in the HTTP GET or POST
5962 // request to the
5963 // Kubernetes API server (e.g. "/api/v1/namespaces" or
5964 // "/apis/apps/v1/deployments").
5965 // The format required is the same format used by the `kubectl get
5966 // --raw` command.
5967 // See
5968 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5969 // for details.
5970 // It's mutually exclusive with the Service field.
5971 "urlPath"?: string
5972 }
5973
5974 // ConfigMap is the ConfigMap reference.
5975 "configMap"?: {
5976 // Name is the ConfigMap name.
5977 "name"!: string
5978
5979 // Namespace is the ConfigMap namespace.
5980 "namespace"?: string
5981 }
5982
5983 // GlobalContextEntryReference is a reference to a cached global
5984 // context entry.
5985 "globalReference"?: {
5986 // JMESPath is an optional JSON Match Expression that can be used
5987 // to
5988 // transform the JSON response returned from the server. For
5989 // example
5990 // a JMESPath of "items | length(@)" applied to the API server
5991 // response
5992 // for the URLPath "/apis/apps/v1/deployments" will return the
5993 // total count
5994 // of deployments across all namespaces.
5995 "jmesPath"?: string
5996
5997 // Name of the global context entry
5998 "name"!: string
5999 }
6000
6001 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6002 // fetch image
6003 // details.
6004 "imageRegistry"?: {
6005 // ImageRegistryCredentials provides credentials that will be used
6006 // for authentication with registry
6007 "imageRegistryCredentials"?: {
6008 // AllowInsecureRegistry allows insecure access to a registry.
6009 "allowInsecureRegistry"?: bool
6010
6011 // Providers specifies a list of OCI Registry names, whose
6012 // authentication providers are provided.
6013 // It can be of one of these values:
6014 // default,google,azure,amazon,github.
6015 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6016
6017 // Secrets specifies a list of secrets that are provided for
6018 // credentials.
6019 // Secrets must live in the Kyverno namespace.
6020 "secrets"?: [...string]
6021 }
6022
6023 // JMESPath is an optional JSON Match Expression that can be used
6024 // to
6025 // transform the ImageData struct returned as a result of
6026 // processing
6027 // the image reference.
6028 "jmesPath"?: string
6029
6030 // Reference is image reference to a container image in the
6031 // registry.
6032 // Example: ghcr.io/kyverno/kyverno:latest
6033 "reference"!: string
6034 }
6035
6036 // Name is the variable name.
6037 "name"!: string
6038
6039 // Variable defines an arbitrary JMESPath context variable that
6040 // can be defined inline.
6041 "variable"?: {
6042 // Default is an optional arbitrary JSON object that the variable
6043 // may take if the JMESPath
6044 // expression evaluates to nil
6045 "default"?: null | bool | number | string | [...] | {
6046 ...
6047 }
6048
6049 // JMESPath is an optional JMESPath Expression that can be used to
6050 // transform the variable.
6051 "jmesPath"?: string
6052
6053 // Value is any arbitrary JSON object representable in YAML or
6054 // JSON form.
6055 "value"?: null | bool | number | string | [...] | {
6056 ...
6057 }
6058 }
6059 }]
6060
6061 // Foreach declares a nested foreach iterator
6062 "foreach"?: null | bool | number | string | [...] | {
6063 ...
6064 }
6065
6066 // List specifies a JMESPath expression that results in one or
6067 // more elements
6068 // to which the validation logic is applied.
6069 "list"?: string
6070
6071 // Order defines the iteration order on the list.
6072 // Can be Ascending to iterate from first to last element or
6073 // Descending to iterate in from last to first element.
6074 "order"?: "Ascending" | "Descending"
6075
6076 // PatchStrategicMerge is a strategic merge patch used to modify
6077 // resources.
6078 // See
6079 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6080 // and
6081 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6082 "patchStrategicMerge"?: null | bool | number | string | [...] | {
6083 ...
6084 }
6085
6086 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6087 // used to modify resources.
6088 // See https://tools.ietf.org/html/rfc6902 and
6089 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6090 "patchesJson6902"?: string
6091
6092 // AnyAllConditions are used to determine if a policy rule should
6093 // be applied by evaluating a
6094 // set of conditions. The declaration can contain nested `any` or
6095 // `all` statements.
6096 // See: https://kyverno.io/docs/writing-policies/preconditions/
6097 "preconditions"?: {
6098 // AllConditions enable variable-based conditional rule execution.
6099 // This is useful for
6100 // finer control of when an rule is applied. A condition can
6101 // reference object data
6102 // using JMESPath notation.
6103 // Here, all of the conditions need to pass
6104 "all"?: [...{
6105 // Key is the context entry (using JMESPath) for conditional rule
6106 // evaluation.
6107 "key"?: null | bool | number | string | [...] | {
6108 ...
6109 }
6110
6111 // Message is an optional display message
6112 "message"?: string
6113
6114 // Operator is the conditional operation to perform. Valid
6115 // operators are:
6116 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6117 // GreaterThanOrEquals,
6118 // GreaterThan, LessThanOrEquals, LessThan,
6119 // DurationGreaterThanOrEquals, DurationGreaterThan,
6120 // DurationLessThanOrEquals, DurationLessThan
6121 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6122
6123 // Value is the conditional value, or set of values. The values
6124 // can be fixed set
6125 // or can be variables declared using JMESPath.
6126 "value"?: null | bool | number | string | [...] | {
6127 ...
6128 }
6129 }]
6130
6131 // AnyConditions enable variable-based conditional rule execution.
6132 // This is useful for
6133 // finer control of when an rule is applied. A condition can
6134 // reference object data
6135 // using JMESPath notation.
6136 // Here, at least one of the conditions need to pass
6137 "any"?: [...{
6138 // Key is the context entry (using JMESPath) for conditional rule
6139 // evaluation.
6140 "key"?: null | bool | number | string | [...] | {
6141 ...
6142 }
6143
6144 // Message is an optional display message
6145 "message"?: string
6146
6147 // Operator is the conditional operation to perform. Valid
6148 // operators are:
6149 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6150 // GreaterThanOrEquals,
6151 // GreaterThan, LessThanOrEquals, LessThan,
6152 // DurationGreaterThanOrEquals, DurationGreaterThan,
6153 // DurationLessThanOrEquals, DurationLessThan
6154 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6155
6156 // Value is the conditional value, or set of values. The values
6157 // can be fixed set
6158 // or can be variables declared using JMESPath.
6159 "value"?: null | bool | number | string | [...] | {
6160 ...
6161 }
6162 }]
6163 ...
6164 }
6165 }]
6166
6167 // MutateExistingOnPolicyUpdate controls if the mutateExisting
6168 // rule will be applied on policy events.
6169 "mutateExistingOnPolicyUpdate"?: bool
6170
6171 // PatchStrategicMerge is a strategic merge patch used to modify
6172 // resources.
6173 // See
6174 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
6175 // and
6176 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
6177 "patchStrategicMerge"?: null | bool | number | string | [...] | {
6178 ...
6179 }
6180
6181 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
6182 // used to modify resources.
6183 // See https://tools.ietf.org/html/rfc6902 and
6184 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
6185 "patchesJson6902"?: string
6186
6187 // Targets defines the target resources to be mutated.
6188 "targets"?: [...{
6189 // APIVersion specifies resource apiVersion.
6190 "apiVersion"?: string
6191
6192 // Context defines variables and data sources that can be used
6193 // during rule execution.
6194 "context"?: [...matchN(1, [{
6195 "configMap"!: _
6196 }, {
6197 "apiCall"!: _
6198 }, {
6199 "imageRegistry"!: _
6200 }, {
6201 "variable"!: _
6202 }, {
6203 "globalReference"!: _
6204 }]) & {
6205 // APICall is an HTTP request to the Kubernetes API server, or
6206 // other JSON web service.
6207 // The data returned is stored in the context with the name for
6208 // the context entry.
6209 "apiCall"?: {
6210 // The data object specifies the POST data sent to the server.
6211 // Only applicable when the method field is set to POST.
6212 "data"?: [...{
6213 // Key is a unique identifier for the data value
6214 "key"!: string
6215
6216 // Value is the data value
6217 "value"!: null | bool | number | string | [...] | {
6218 ...
6219 }
6220 }]
6221
6222 // Default is an optional arbitrary JSON object that the context
6223 // value is set to, if the apiCall returns error.
6224 "default"?: null | bool | number | string | [...] | {
6225 ...
6226 }
6227
6228 // JMESPath is an optional JSON Match Expression that can be used
6229 // to
6230 // transform the JSON response returned from the server. For
6231 // example
6232 // a JMESPath of "items | length(@)" applied to the API server
6233 // response
6234 // for the URLPath "/apis/apps/v1/deployments" will return the
6235 // total count
6236 // of deployments across all namespaces.
6237 "jmesPath"?: string
6238
6239 // Method is the HTTP request type (GET or POST). Defaults to GET.
6240 "method"?: "GET" | "POST"
6241
6242 // Service is an API call to a JSON web service.
6243 // This is used for non-Kubernetes API server calls.
6244 // It's mutually exclusive with the URLPath field.
6245 "service"?: {
6246 // CABundle is a PEM encoded CA bundle which will be used to
6247 // validate
6248 // the server certificate.
6249 "caBundle"?: string
6250
6251 // Headers is a list of optional HTTP headers to be included in
6252 // the request.
6253 "headers"?: [...{
6254 // Key is the header key
6255 "key"!: string
6256
6257 // Value is the header value
6258 "value"!: string
6259 }]
6260
6261 // URL is the JSON web service URL. A typical form is
6262 // `https://{service}.{namespace}:{port}/{path}`.
6263 "url"!: string
6264 }
6265
6266 // URLPath is the URL path to be used in the HTTP GET or POST
6267 // request to the
6268 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6269 // "/apis/apps/v1/deployments").
6270 // The format required is the same format used by the `kubectl get
6271 // --raw` command.
6272 // See
6273 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6274 // for details.
6275 // It's mutually exclusive with the Service field.
6276 "urlPath"?: string
6277 }
6278
6279 // ConfigMap is the ConfigMap reference.
6280 "configMap"?: {
6281 // Name is the ConfigMap name.
6282 "name"!: string
6283
6284 // Namespace is the ConfigMap namespace.
6285 "namespace"?: string
6286 }
6287
6288 // GlobalContextEntryReference is a reference to a cached global
6289 // context entry.
6290 "globalReference"?: {
6291 // JMESPath is an optional JSON Match Expression that can be used
6292 // to
6293 // transform the JSON response returned from the server. For
6294 // example
6295 // a JMESPath of "items | length(@)" applied to the API server
6296 // response
6297 // for the URLPath "/apis/apps/v1/deployments" will return the
6298 // total count
6299 // of deployments across all namespaces.
6300 "jmesPath"?: string
6301
6302 // Name of the global context entry
6303 "name"!: string
6304 }
6305
6306 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6307 // fetch image
6308 // details.
6309 "imageRegistry"?: {
6310 // ImageRegistryCredentials provides credentials that will be used
6311 // for authentication with registry
6312 "imageRegistryCredentials"?: {
6313 // AllowInsecureRegistry allows insecure access to a registry.
6314 "allowInsecureRegistry"?: bool
6315
6316 // Providers specifies a list of OCI Registry names, whose
6317 // authentication providers are provided.
6318 // It can be of one of these values:
6319 // default,google,azure,amazon,github.
6320 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6321
6322 // Secrets specifies a list of secrets that are provided for
6323 // credentials.
6324 // Secrets must live in the Kyverno namespace.
6325 "secrets"?: [...string]
6326 }
6327
6328 // JMESPath is an optional JSON Match Expression that can be used
6329 // to
6330 // transform the ImageData struct returned as a result of
6331 // processing
6332 // the image reference.
6333 "jmesPath"?: string
6334
6335 // Reference is image reference to a container image in the
6336 // registry.
6337 // Example: ghcr.io/kyverno/kyverno:latest
6338 "reference"!: string
6339 }
6340
6341 // Name is the variable name.
6342 "name"!: string
6343
6344 // Variable defines an arbitrary JMESPath context variable that
6345 // can be defined inline.
6346 "variable"?: {
6347 // Default is an optional arbitrary JSON object that the variable
6348 // may take if the JMESPath
6349 // expression evaluates to nil
6350 "default"?: null | bool | number | string | [...] | {
6351 ...
6352 }
6353
6354 // JMESPath is an optional JMESPath Expression that can be used to
6355 // transform the variable.
6356 "jmesPath"?: string
6357
6358 // Value is any arbitrary JSON object representable in YAML or
6359 // JSON form.
6360 "value"?: null | bool | number | string | [...] | {
6361 ...
6362 }
6363 }
6364 }]
6365
6366 // Kind specifies resource kind.
6367 "kind"?: string
6368
6369 // Name specifies the resource name.
6370 "name"?: string
6371
6372 // Namespace specifies resource namespace.
6373 "namespace"?: string
6374
6375 // Preconditions are used to determine if a policy rule should be
6376 // applied by evaluating a
6377 // set of conditions. The declaration can contain nested `any` or
6378 // `all` statements. A direct list
6379 // of conditions (without `any` or `all` statements is supported
6380 // for backwards compatibility but
6381 // will be deprecated in the next major release.
6382 // See: https://kyverno.io/docs/writing-policies/preconditions/
6383 "preconditions"?: null | bool | number | string | [...] | {
6384 ...
6385 }
6386
6387 // Selector allows you to select target resources with their
6388 // labels.
6389 "selector"?: {
6390 // matchExpressions is a list of label selector requirements. The
6391 // requirements are ANDed.
6392 "matchExpressions"?: [...{
6393 // key is the label key that the selector applies to.
6394 "key"!: string
6395
6396 // operator represents a key's relationship to a set of values.
6397 // Valid operators are In, NotIn, Exists and DoesNotExist.
6398 "operator"!: string
6399
6400 // values is an array of string values. If the operator is In or
6401 // NotIn,
6402 // the values array must be non-empty. If the operator is Exists
6403 // or DoesNotExist,
6404 // the values array must be empty. This array is replaced during a
6405 // strategic
6406 // merge patch.
6407 "values"?: [...string]
6408 }]
6409
6410 // matchLabels is a map of {key,value} pairs. A single {key,value}
6411 // in the matchLabels
6412 // map is equivalent to an element of matchExpressions, whose key
6413 // field is "key", the
6414 // operator is "In", and the values array contains only "value".
6415 // The requirements are ANDed.
6416 "matchLabels"?: {
6417 [string]: string
6418 }
6419 }
6420
6421 // UID specifies the resource uid.
6422 "uid"?: string
6423 }]
6424 }
6425
6426 // Name is a label to identify the rule, It must be unique within
6427 // the policy.
6428 "name"!: strings.MaxRunes(
6429 63)
6430
6431 // Preconditions are used to determine if a policy rule should be
6432 // applied by evaluating a
6433 // set of conditions. The declaration can contain nested `any` or
6434 // `all` statements. A direct list
6435 // of conditions (without `any` or `all` statements is supported
6436 // for backwards compatibility but
6437 // will be deprecated in the next major release.
6438 // See: https://kyverno.io/docs/writing-policies/preconditions/
6439 "preconditions"?: null | bool | number | string | [...] | {
6440 ...
6441 }
6442
6443 // ReportProperties are the additional properties from the rule
6444 // that will be added to the policy report result
6445 "reportProperties"?: {
6446 [string]: string
6447 }
6448
6449 // SkipBackgroundRequests bypasses admission requests that are
6450 // sent by the background controller.
6451 // The default value is set to "true", it must be set to "false"
6452 // to apply
6453 // generate and mutateExisting rules to those requests.
6454 "skipBackgroundRequests"?: bool
6455
6456 // Validation is used to validate matching resources.
6457 "validate"?: {
6458 // AllowExistingViolations allows prexisting violating resources
6459 // to continue violating a policy.
6460 "allowExistingViolations"?: bool
6461
6462 // AnyPattern specifies list of validation patterns. At least one
6463 // of the patterns
6464 // must be satisfied for the validation rule to succeed.
6465 "anyPattern"?: null | bool | number | string | [...] | {
6466 ...
6467 }
6468
6469 // Assert defines a kyverno-json assertion tree.
6470 "assert"?: {
6471 ...
6472 }
6473
6474 // CEL allows validation checks using the Common Expression
6475 // Language
6476 // (https://kubernetes.io/docs/reference/using-api/cel/).
6477 "cel"?: {
6478 // AuditAnnotations contains CEL expressions which are used to
6479 // produce audit annotations for the audit event of the API
6480 // request.
6481 "auditAnnotations"?: [...{
6482 // key specifies the audit annotation key. The audit annotation
6483 // keys of
6484 // a ValidatingAdmissionPolicy must be unique. The key must be a
6485 // qualified
6486 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6487 // length.
6488 //
6489 // The key is combined with the resource name of the
6490 // ValidatingAdmissionPolicy to construct an audit annotation key:
6491 // "{ValidatingAdmissionPolicy name}/{key}".
6492 //
6493 // If an admission webhook uses the same resource name as this
6494 // ValidatingAdmissionPolicy
6495 // and the same audit annotation key, the annotation key will be
6496 // identical.
6497 // In this case, the first annotation written with the key will be
6498 // included
6499 // in the audit event and all subsequent annotations with the same
6500 // key
6501 // will be discarded.
6502 //
6503 // Required.
6504 "key"!: string
6505
6506 // valueExpression represents the expression which is evaluated by
6507 // CEL to
6508 // produce an audit annotation value. The expression must evaluate
6509 // to either
6510 // a string or null value. If the expression evaluates to a
6511 // string, the
6512 // audit annotation is included with the string value. If the
6513 // expression
6514 // evaluates to null or empty string the audit annotation will be
6515 // omitted.
6516 // The valueExpression may be no longer than 5kb in length.
6517 // If the result of the valueExpression is more than 10kb in
6518 // length, it
6519 // will be truncated to 10kb.
6520 //
6521 // If multiple ValidatingAdmissionPolicyBinding resources match an
6522 // API request, then the valueExpression will be evaluated for
6523 // each binding. All unique values produced by the
6524 // valueExpressions
6525 // will be joined together in a comma-separated list.
6526 //
6527 // Required.
6528 "valueExpression"!: string
6529 }]
6530
6531 // Expressions is a list of CELExpression types.
6532 "expressions"?: [...{
6533 // Expression represents the expression which will be evaluated by
6534 // CEL.
6535 // ref: https://github.com/google/cel-spec
6536 // CEL expressions have access to the contents of the API
6537 // request/response, organized into CEL variables as well as some
6538 // other useful variables:
6539 //
6540 // - 'object' - The object from the incoming request. The value is
6541 // null for DELETE requests.
6542 // - 'oldObject' - The existing object. The value is null for
6543 // CREATE requests.
6544 // - 'request' - Attributes of the API
6545 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6546 // - 'params' - Parameter resource referred to by the policy
6547 // binding being evaluated. Only populated if the policy has a
6548 // ParamKind.
6549 // - 'namespaceObject' - The namespace object that the incoming
6550 // object belongs to. The value is null for cluster-scoped
6551 // resources.
6552 // - 'variables' - Map of composited variables, from its name to
6553 // its lazily evaluated value.
6554 // For example, a variable named 'foo' can be accessed as
6555 // 'variables.foo'.
6556 // - 'authorizer' - A CEL Authorizer. May be used to perform
6557 // authorization checks for the principal (user or service
6558 // account) of the request.
6559 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6560 // - 'authorizer.requestResource' - A CEL ResourceCheck
6561 // constructed from the 'authorizer' and configured with the
6562 // request resource.
6563 //
6564 // The `apiVersion`, `kind`, `metadata.name` and
6565 // `metadata.generateName` are always accessible from the root of
6566 // the
6567 // object. No other metadata properties are accessible.
6568 //
6569 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6570 // are accessible.
6571 // Accessible property names are escaped according to the
6572 // following rules when accessed in the expression:
6573 // - '__' escapes to '__underscores__'
6574 // - '.' escapes to '__dot__'
6575 // - '-' escapes to '__dash__'
6576 // - '/' escapes to '__slash__'
6577 // - Property names that exactly match a CEL RESERVED keyword
6578 // escape to '__{keyword}__'. The keywords are:
6579 // "true", "false", "null", "in", "as", "break", "const",
6580 // "continue", "else", "for", "function", "if",
6581 // "import", "let", "loop", "package", "namespace", "return".
6582 // Examples:
6583 // - Expression accessing a property named "namespace":
6584 // {"Expression": "object.__namespace__ > 0"}
6585 // - Expression accessing a property named "x-prop":
6586 // {"Expression": "object.x__dash__prop > 0"}
6587 // - Expression accessing a property named "redact__d":
6588 // {"Expression": "object.redact__underscores__d > 0"}
6589 //
6590 // Equality on arrays with list type of 'set' or 'map' ignores
6591 // element order, i.e. [1, 2] == [2, 1].
6592 // Concatenation on arrays with x-kubernetes-list-type use the
6593 // semantics of the list type:
6594 // - 'set': `X + Y` performs a union where the array positions of
6595 // all elements in `X` are preserved and
6596 // non-intersecting elements in `Y` are appended, retaining their
6597 // partial order.
6598 // - 'map': `X + Y` performs a merge where the array positions of
6599 // all keys in `X` are preserved but the values
6600 // are overwritten by values in `Y` when the key sets of `X` and
6601 // `Y` intersect. Elements in `Y` with
6602 // non-intersecting keys are appended, retaining their partial
6603 // order.
6604 // Required.
6605 "expression"!: string
6606
6607 // Message represents the message displayed when validation fails.
6608 // The message is required if the Expression contains
6609 // line breaks. The message must not contain line breaks.
6610 // If unset, the message is "failed rule: {Rule}".
6611 // e.g. "must be a URL with the host matching spec.host"
6612 // If the Expression contains line breaks. Message is required.
6613 // The message must not contain line breaks.
6614 // If unset, the message is "failed Expression: {Expression}".
6615 "message"?: string
6616
6617 // messageExpression declares a CEL expression that evaluates to
6618 // the validation failure message that is returned when this rule
6619 // fails.
6620 // Since messageExpression is used as a failure message, it must
6621 // evaluate to a string.
6622 // If both message and messageExpression are present on a
6623 // validation, then messageExpression will be used if validation
6624 // fails.
6625 // If messageExpression results in a runtime error, the runtime
6626 // error is logged, and the validation failure message is
6627 // produced
6628 // as if the messageExpression field were unset. If
6629 // messageExpression evaluates to an empty string, a string with
6630 // only spaces, or a string
6631 // that contains line breaks, then the validation failure message
6632 // will also be produced as if the messageExpression field were
6633 // unset, and
6634 // the fact that messageExpression produced an empty string/string
6635 // with only spaces/string with line breaks will be logged.
6636 // messageExpression has access to all the same variables as the
6637 // `expression` except for 'authorizer' and
6638 // 'authorizer.requestResource'.
6639 // Example:
6640 // "object.x must be less than max ("+string(params.max)+")"
6641 "messageExpression"?: string
6642
6643 // Reason represents a machine-readable description of why this
6644 // validation failed.
6645 // If this is the first validation in the list to fail, this
6646 // reason, as well as the
6647 // corresponding HTTP response code, are used in the
6648 // HTTP response to the client.
6649 // The currently supported reasons are: "Unauthorized",
6650 // "Forbidden", "Invalid", "RequestEntityTooLarge".
6651 // If not set, StatusReasonInvalid is used in the response to the
6652 // client.
6653 "reason"?: string
6654 }]
6655
6656 // ParamKind is a tuple of Group Kind and Version.
6657 "paramKind"?: {
6658 // APIVersion is the API group version the resources belong to.
6659 // In format of "group/version".
6660 // Required.
6661 "apiVersion"?: string
6662
6663 // Kind is the API kind the resources belong to.
6664 // Required.
6665 "kind"?: string
6666 }
6667
6668 // ParamRef references a parameter resource.
6669 "paramRef"?: {
6670 // name is the name of the resource being referenced.
6671 //
6672 // One of `name` or `selector` must be set, but `name` and
6673 // `selector` are
6674 // mutually exclusive properties. If one is set, the other must be
6675 // unset.
6676 //
6677 // A single parameter used for all admission requests can be
6678 // configured
6679 // by setting the `name` field, leaving `selector` blank, and
6680 // setting namespace
6681 // if `paramKind` is namespace-scoped.
6682 "name"?: string
6683
6684 // namespace is the namespace of the referenced resource. Allows
6685 // limiting
6686 // the search for params to a specific namespace. Applies to both
6687 // `name` and
6688 // `selector` fields.
6689 //
6690 // A per-namespace parameter may be used by specifying a
6691 // namespace-scoped
6692 // `paramKind` in the policy and leaving this field empty.
6693 //
6694 // - If `paramKind` is cluster-scoped, this field MUST be unset.
6695 // Setting this
6696 // field results in a configuration error.
6697 //
6698 // - If `paramKind` is namespace-scoped, the namespace of the
6699 // object being
6700 // evaluated for admission will be used when this field is left
6701 // unset. Take
6702 // care that if this is left empty the binding must not match any
6703 // cluster-scoped
6704 // resources, which will result in an error.
6705 "namespace"?: string
6706
6707 // `parameterNotFoundAction` controls the behavior of the binding
6708 // when the resource
6709 // exists, and name or selector is valid, but there are no
6710 // parameters
6711 // matched by the binding. If the value is set to `Allow`, then no
6712 // matched parameters will be treated as successful validation by
6713 // the binding.
6714 // If set to `Deny`, then no matched parameters will be subject to
6715 // the
6716 // `failurePolicy` of the policy.
6717 //
6718 // Allowed values are `Allow` or `Deny`
6719 //
6720 // Required
6721 "parameterNotFoundAction"?: string
6722
6723 // selector can be used to match multiple param objects based on
6724 // their labels.
6725 // Supply selector: {} to match all resources of the ParamKind.
6726 //
6727 // If multiple params are found, they are all evaluated with the
6728 // policy expressions
6729 // and the results are ANDed together.
6730 //
6731 // One of `name` or `selector` must be set, but `name` and
6732 // `selector` are
6733 // mutually exclusive properties. If one is set, the other must be
6734 // unset.
6735 "selector"?: {
6736 // matchExpressions is a list of label selector requirements. The
6737 // requirements are ANDed.
6738 "matchExpressions"?: [...{
6739 // key is the label key that the selector applies to.
6740 "key"!: string
6741
6742 // operator represents a key's relationship to a set of values.
6743 // Valid operators are In, NotIn, Exists and DoesNotExist.
6744 "operator"!: string
6745
6746 // values is an array of string values. If the operator is In or
6747 // NotIn,
6748 // the values array must be non-empty. If the operator is Exists
6749 // or DoesNotExist,
6750 // the values array must be empty. This array is replaced during a
6751 // strategic
6752 // merge patch.
6753 "values"?: [...string]
6754 }]
6755
6756 // matchLabels is a map of {key,value} pairs. A single {key,value}
6757 // in the matchLabels
6758 // map is equivalent to an element of matchExpressions, whose key
6759 // field is "key", the
6760 // operator is "In", and the values array contains only "value".
6761 // The requirements are ANDed.
6762 "matchLabels"?: {
6763 [string]: string
6764 }
6765 }
6766 }
6767
6768 // Variables contain definitions of variables that can be used in
6769 // composition of other expressions.
6770 // Each variable is defined as a named CEL expression.
6771 // The variables defined here will be available under `variables`
6772 // in other expressions of the policy.
6773 "variables"?: [...{
6774 // Expression is the expression that will be evaluated as the
6775 // value of the variable.
6776 // The CEL expression has access to the same identifiers as the
6777 // CEL expressions in Validation.
6778 "expression"!: string
6779
6780 // Name is the name of the variable. The name must be a valid CEL
6781 // identifier and unique among all variables.
6782 // The variable can be accessed in other expressions through
6783 // `variables`
6784 // For example, if name is "foo", the variable will be available
6785 // as `variables.foo`
6786 "name"!: string
6787 }]
6788 }
6789
6790 // Deny defines conditions used to pass or fail a validation rule.
6791 "deny"?: {
6792 // Multiple conditions can be declared under an `any` or `all`
6793 // statement. A direct list
6794 // of conditions (without `any` or `all` statements) is also
6795 // supported for backwards compatibility
6796 // but will be deprecated in the next major release.
6797 // See:
6798 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
6799 "conditions"?: null | bool | number | string | [...] | {
6800 ...
6801 }
6802 }
6803
6804 // FailureAction defines if a validation policy rule violation
6805 // should block
6806 // the admission review request (Enforce), or allow (Audit) the
6807 // admission review request
6808 // and report an error in a policy report. Optional.
6809 // Allowed values are Audit or Enforce.
6810 "failureAction"?: "Audit" | "Enforce"
6811
6812 // FailureActionOverrides is a Cluster Policy attribute that
6813 // specifies FailureAction
6814 // namespace-wise. It overrides FailureAction for the specified
6815 // namespaces.
6816 "failureActionOverrides"?: [...{
6817 // ValidationFailureAction defines the policy validation failure
6818 // action
6819 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
6820
6821 // A label selector is a label query over a set of resources. The
6822 // result of matchLabels and
6823 // matchExpressions are ANDed. An empty label selector matches all
6824 // objects. A null
6825 // label selector matches no objects.
6826 "namespaceSelector"?: {
6827 // matchExpressions is a list of label selector requirements. The
6828 // requirements are ANDed.
6829 "matchExpressions"?: [...{
6830 // key is the label key that the selector applies to.
6831 "key"!: string
6832
6833 // operator represents a key's relationship to a set of values.
6834 // Valid operators are In, NotIn, Exists and DoesNotExist.
6835 "operator"!: string
6836
6837 // values is an array of string values. If the operator is In or
6838 // NotIn,
6839 // the values array must be non-empty. If the operator is Exists
6840 // or DoesNotExist,
6841 // the values array must be empty. This array is replaced during a
6842 // strategic
6843 // merge patch.
6844 "values"?: [...string]
6845 }]
6846
6847 // matchLabels is a map of {key,value} pairs. A single {key,value}
6848 // in the matchLabels
6849 // map is equivalent to an element of matchExpressions, whose key
6850 // field is "key", the
6851 // operator is "In", and the values array contains only "value".
6852 // The requirements are ANDed.
6853 "matchLabels"?: {
6854 [string]: string
6855 }
6856 }
6857 "namespaces"?: [...string]
6858 }]
6859
6860 // ForEach applies validate rules to a list of sub-elements by
6861 // creating a context for each entry in the list and looping over
6862 // it to apply the specified logic.
6863 "foreach"?: [...{
6864 // AnyPattern specifies list of validation patterns. At least one
6865 // of the patterns
6866 // must be satisfied for the validation rule to succeed.
6867 "anyPattern"?: null | bool | number | string | [...] | {
6868 ...
6869 }
6870
6871 // Context defines variables and data sources that can be used
6872 // during rule execution.
6873 "context"?: [...matchN(1, [{
6874 "configMap"!: _
6875 }, {
6876 "apiCall"!: _
6877 }, {
6878 "imageRegistry"!: _
6879 }, {
6880 "variable"!: _
6881 }, {
6882 "globalReference"!: _
6883 }]) & {
6884 // APICall is an HTTP request to the Kubernetes API server, or
6885 // other JSON web service.
6886 // The data returned is stored in the context with the name for
6887 // the context entry.
6888 "apiCall"?: {
6889 // The data object specifies the POST data sent to the server.
6890 // Only applicable when the method field is set to POST.
6891 "data"?: [...{
6892 // Key is a unique identifier for the data value
6893 "key"!: string
6894
6895 // Value is the data value
6896 "value"!: null | bool | number | string | [...] | {
6897 ...
6898 }
6899 }]
6900
6901 // Default is an optional arbitrary JSON object that the context
6902 // value is set to, if the apiCall returns error.
6903 "default"?: null | bool | number | string | [...] | {
6904 ...
6905 }
6906
6907 // JMESPath is an optional JSON Match Expression that can be used
6908 // to
6909 // transform the JSON response returned from the server. For
6910 // example
6911 // a JMESPath of "items | length(@)" applied to the API server
6912 // response
6913 // for the URLPath "/apis/apps/v1/deployments" will return the
6914 // total count
6915 // of deployments across all namespaces.
6916 "jmesPath"?: string
6917
6918 // Method is the HTTP request type (GET or POST). Defaults to GET.
6919 "method"?: "GET" | "POST"
6920
6921 // Service is an API call to a JSON web service.
6922 // This is used for non-Kubernetes API server calls.
6923 // It's mutually exclusive with the URLPath field.
6924 "service"?: {
6925 // CABundle is a PEM encoded CA bundle which will be used to
6926 // validate
6927 // the server certificate.
6928 "caBundle"?: string
6929
6930 // Headers is a list of optional HTTP headers to be included in
6931 // the request.
6932 "headers"?: [...{
6933 // Key is the header key
6934 "key"!: string
6935
6936 // Value is the header value
6937 "value"!: string
6938 }]
6939
6940 // URL is the JSON web service URL. A typical form is
6941 // `https://{service}.{namespace}:{port}/{path}`.
6942 "url"!: string
6943 }
6944
6945 // URLPath is the URL path to be used in the HTTP GET or POST
6946 // request to the
6947 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6948 // "/apis/apps/v1/deployments").
6949 // The format required is the same format used by the `kubectl get
6950 // --raw` command.
6951 // See
6952 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6953 // for details.
6954 // It's mutually exclusive with the Service field.
6955 "urlPath"?: string
6956 }
6957
6958 // ConfigMap is the ConfigMap reference.
6959 "configMap"?: {
6960 // Name is the ConfigMap name.
6961 "name"!: string
6962
6963 // Namespace is the ConfigMap namespace.
6964 "namespace"?: string
6965 }
6966
6967 // GlobalContextEntryReference is a reference to a cached global
6968 // context entry.
6969 "globalReference"?: {
6970 // JMESPath is an optional JSON Match Expression that can be used
6971 // to
6972 // transform the JSON response returned from the server. For
6973 // example
6974 // a JMESPath of "items | length(@)" applied to the API server
6975 // response
6976 // for the URLPath "/apis/apps/v1/deployments" will return the
6977 // total count
6978 // of deployments across all namespaces.
6979 "jmesPath"?: string
6980
6981 // Name of the global context entry
6982 "name"!: string
6983 }
6984
6985 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6986 // fetch image
6987 // details.
6988 "imageRegistry"?: {
6989 // ImageRegistryCredentials provides credentials that will be used
6990 // for authentication with registry
6991 "imageRegistryCredentials"?: {
6992 // AllowInsecureRegistry allows insecure access to a registry.
6993 "allowInsecureRegistry"?: bool
6994
6995 // Providers specifies a list of OCI Registry names, whose
6996 // authentication providers are provided.
6997 // It can be of one of these values:
6998 // default,google,azure,amazon,github.
6999 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
7000
7001 // Secrets specifies a list of secrets that are provided for
7002 // credentials.
7003 // Secrets must live in the Kyverno namespace.
7004 "secrets"?: [...string]
7005 }
7006
7007 // JMESPath is an optional JSON Match Expression that can be used
7008 // to
7009 // transform the ImageData struct returned as a result of
7010 // processing
7011 // the image reference.
7012 "jmesPath"?: string
7013
7014 // Reference is image reference to a container image in the
7015 // registry.
7016 // Example: ghcr.io/kyverno/kyverno:latest
7017 "reference"!: string
7018 }
7019
7020 // Name is the variable name.
7021 "name"!: string
7022
7023 // Variable defines an arbitrary JMESPath context variable that
7024 // can be defined inline.
7025 "variable"?: {
7026 // Default is an optional arbitrary JSON object that the variable
7027 // may take if the JMESPath
7028 // expression evaluates to nil
7029 "default"?: null | bool | number | string | [...] | {
7030 ...
7031 }
7032
7033 // JMESPath is an optional JMESPath Expression that can be used to
7034 // transform the variable.
7035 "jmesPath"?: string
7036
7037 // Value is any arbitrary JSON object representable in YAML or
7038 // JSON form.
7039 "value"?: null | bool | number | string | [...] | {
7040 ...
7041 }
7042 }
7043 }]
7044
7045 // Deny defines conditions used to pass or fail a validation rule.
7046 "deny"?: {
7047 // Multiple conditions can be declared under an `any` or `all`
7048 // statement. A direct list
7049 // of conditions (without `any` or `all` statements) is also
7050 // supported for backwards compatibility
7051 // but will be deprecated in the next major release.
7052 // See:
7053 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
7054 "conditions"?: null | bool | number | string | [...] | {
7055 ...
7056 }
7057 }
7058
7059 // ElementScope specifies whether to use the current list element
7060 // as the scope for validation. Defaults to "true" if not
7061 // specified.
7062 // When set to "false", "request.object" is used as the validation
7063 // scope within the foreach
7064 // block to allow referencing other elements in the subtree.
7065 "elementScope"?: bool
7066
7067 // Foreach declares a nested foreach iterator
7068 "foreach"?: null | bool | number | string | [...] | {
7069 ...
7070 }
7071
7072 // List specifies a JMESPath expression that results in one or
7073 // more elements
7074 // to which the validation logic is applied.
7075 "list"?: string
7076
7077 // Pattern specifies an overlay-style pattern used to check
7078 // resources.
7079 "pattern"?: null | bool | number | string | [...] | {
7080 ...
7081 }
7082
7083 // AnyAllConditions are used to determine if a policy rule should
7084 // be applied by evaluating a
7085 // set of conditions. The declaration can contain nested `any` or
7086 // `all` statements.
7087 // See: https://kyverno.io/docs/writing-policies/preconditions/
7088 "preconditions"?: {
7089 // AllConditions enable variable-based conditional rule execution.
7090 // This is useful for
7091 // finer control of when an rule is applied. A condition can
7092 // reference object data
7093 // using JMESPath notation.
7094 // Here, all of the conditions need to pass
7095 "all"?: [...{
7096 // Key is the context entry (using JMESPath) for conditional rule
7097 // evaluation.
7098 "key"?: null | bool | number | string | [...] | {
7099 ...
7100 }
7101
7102 // Message is an optional display message
7103 "message"?: string
7104
7105 // Operator is the conditional operation to perform. Valid
7106 // operators are:
7107 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7108 // GreaterThanOrEquals,
7109 // GreaterThan, LessThanOrEquals, LessThan,
7110 // DurationGreaterThanOrEquals, DurationGreaterThan,
7111 // DurationLessThanOrEquals, DurationLessThan
7112 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7113
7114 // Value is the conditional value, or set of values. The values
7115 // can be fixed set
7116 // or can be variables declared using JMESPath.
7117 "value"?: null | bool | number | string | [...] | {
7118 ...
7119 }
7120 }]
7121
7122 // AnyConditions enable variable-based conditional rule execution.
7123 // This is useful for
7124 // finer control of when an rule is applied. A condition can
7125 // reference object data
7126 // using JMESPath notation.
7127 // Here, at least one of the conditions need to pass
7128 "any"?: [...{
7129 // Key is the context entry (using JMESPath) for conditional rule
7130 // evaluation.
7131 "key"?: null | bool | number | string | [...] | {
7132 ...
7133 }
7134
7135 // Message is an optional display message
7136 "message"?: string
7137
7138 // Operator is the conditional operation to perform. Valid
7139 // operators are:
7140 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7141 // GreaterThanOrEquals,
7142 // GreaterThan, LessThanOrEquals, LessThan,
7143 // DurationGreaterThanOrEquals, DurationGreaterThan,
7144 // DurationLessThanOrEquals, DurationLessThan
7145 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7146
7147 // Value is the conditional value, or set of values. The values
7148 // can be fixed set
7149 // or can be variables declared using JMESPath.
7150 "value"?: null | bool | number | string | [...] | {
7151 ...
7152 }
7153 }]
7154 ...
7155 }
7156 }]
7157
7158 // Manifest specifies conditions for manifest verification
7159 "manifests"?: {
7160 // AnnotationDomain is custom domain of annotation for message and
7161 // signature. Default is "cosign.sigstore.dev".
7162 "annotationDomain"?: string
7163
7164 // Attestors specified the required attestors (i.e. authorities)
7165 "attestors"?: [...{
7166 // Count specifies the required number of entries that must match.
7167 // If the count is null, all entries must match
7168 // (a logical AND). If the count is 1, at least one entry must
7169 // match (a logical OR). If the count contains a
7170 // value N, then N must be less than or equal to the size of
7171 // entries, and at least N entries must match.
7172 "count"?: int & >=1
7173
7174 // Entries contains the available attestors. An attestor can be a
7175 // static key,
7176 // attributes for keyless verification, or a nested attestor
7177 // declaration.
7178 "entries"?: [...{
7179 // Annotations are used for image verification.
7180 // Every specified key-value pair must exist and match in the
7181 // verified payload.
7182 // The payload may contain other key-value pairs.
7183 "annotations"?: [string]: string
7184
7185 // Attestor is a nested set of Attestor used to specify a more
7186 // complex set of match authorities.
7187 "attestor"?: null | bool | number | string | [...] | {
7188 ...
7189 }
7190
7191 // Certificates specifies one or more certificates.
7192 "certificates"?: {
7193 // Cert is an optional PEM-encoded public certificate.
7194 "cert"?: string
7195
7196 // CertChain is an optional PEM encoded set of certificates used
7197 // to verify.
7198 "certChain"?: string
7199
7200 // CTLog (certificate timestamp log) provides a configuration for
7201 // validation of Signed Certificate
7202 // Timestamps (SCTs). If the value is unset, the default behavior
7203 // by Cosign is used.
7204 "ctlog"?: {
7205 // IgnoreSCT defines whether to use the Signed Certificate
7206 // Timestamp (SCT) log to check for a certificate
7207 // timestamp. Default is false. Set to true if this was opted out
7208 // during signing.
7209 "ignoreSCT"?: bool
7210
7211 // PubKey, if set, is used to validate SCTs against a custom
7212 // source.
7213 "pubkey"?: string
7214
7215 // TSACertChain, if set, is the PEM-encoded certificate chain file
7216 // for the RFC3161 timestamp authority. Must
7217 // contain the root CA certificate. Optionally may contain
7218 // intermediate CA certificates, and
7219 // may contain the leaf TSA certificate if not present in the
7220 // timestamurce.
7221 "tsaCertChain"?: string
7222 }
7223
7224 // Rekor provides configuration for the Rekor transparency log
7225 // service. If an empty object
7226 // is provided the public instance of Rekor
7227 // (https://rekor.sigstore.dev) is used.
7228 "rekor"?: {
7229 // IgnoreTlog skips transparency log verification.
7230 "ignoreTlog"?: bool
7231
7232 // RekorPubKey is an optional PEM-encoded public key to use for a
7233 // custom Rekor.
7234 // If set, this will be used to validate transparency log
7235 // signatures from a custom Rekor.
7236 "pubkey"?: string
7237
7238 // URL is the address of the transparency log. Defaults to the
7239 // public Rekor log instance https://rekor.sigstore.dev.
7240 "url"?: string
7241 }
7242 }
7243
7244 // Keyless is a set of attribute used to verify a Sigstore keyless
7245 // attestor.
7246 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7247 "keyless"?: {
7248 // AdditionalExtensions are certificate-extensions used for
7249 // keyless signing.
7250 "additionalExtensions"?: [string]: string
7251
7252 // CTLog (certificate timestamp log) provides a configuration for
7253 // validation of Signed Certificate
7254 // Timestamps (SCTs). If the value is unset, the default behavior
7255 // by Cosign is used.
7256 "ctlog"?: {
7257 // IgnoreSCT defines whether to use the Signed Certificate
7258 // Timestamp (SCT) log to check for a certificate
7259 // timestamp. Default is false. Set to true if this was opted out
7260 // during signing.
7261 "ignoreSCT"?: bool
7262
7263 // PubKey, if set, is used to validate SCTs against a custom
7264 // source.
7265 "pubkey"?: string
7266
7267 // TSACertChain, if set, is the PEM-encoded certificate chain file
7268 // for the RFC3161 timestamp authority. Must
7269 // contain the root CA certificate. Optionally may contain
7270 // intermediate CA certificates, and
7271 // may contain the leaf TSA certificate if not present in the
7272 // timestamurce.
7273 "tsaCertChain"?: string
7274 }
7275
7276 // Issuer is the certificate issuer used for keyless signing.
7277 "issuer"?: string
7278
7279 // IssuerRegExp is the regular expression to match certificate
7280 // issuer used for keyless signing.
7281 "issuerRegExp"?: string
7282
7283 // Rekor provides configuration for the Rekor transparency log
7284 // service. If an empty object
7285 // is provided the public instance of Rekor
7286 // (https://rekor.sigstore.dev) is used.
7287 "rekor"?: {
7288 // IgnoreTlog skips transparency log verification.
7289 "ignoreTlog"?: bool
7290
7291 // RekorPubKey is an optional PEM-encoded public key to use for a
7292 // custom Rekor.
7293 // If set, this will be used to validate transparency log
7294 // signatures from a custom Rekor.
7295 "pubkey"?: string
7296
7297 // URL is the address of the transparency log. Defaults to the
7298 // public Rekor log instance https://rekor.sigstore.dev.
7299 "url"?: string
7300 }
7301
7302 // Roots is an optional set of PEM encoded trusted root
7303 // certificates.
7304 // If not provided, the system roots are used.
7305 "roots"?: string
7306
7307 // Subject is the verified identity used for keyless signing, for
7308 // example the email address.
7309 "subject"?: string
7310
7311 // SubjectRegExp is the regular expression to match identity used
7312 // for keyless signing, for example the email address.
7313 "subjectRegExp"?: string
7314 }
7315
7316 // Keys specifies one or more public keys.
7317 "keys"?: {
7318 // CTLog (certificate timestamp log) provides a configuration for
7319 // validation of Signed Certificate
7320 // Timestamps (SCTs). If the value is unset, the default behavior
7321 // by Cosign is used.
7322 "ctlog"?: {
7323 // IgnoreSCT defines whether to use the Signed Certificate
7324 // Timestamp (SCT) log to check for a certificate
7325 // timestamp. Default is false. Set to true if this was opted out
7326 // during signing.
7327 "ignoreSCT"?: bool
7328
7329 // PubKey, if set, is used to validate SCTs against a custom
7330 // source.
7331 "pubkey"?: string
7332
7333 // TSACertChain, if set, is the PEM-encoded certificate chain file
7334 // for the RFC3161 timestamp authority. Must
7335 // contain the root CA certificate. Optionally may contain
7336 // intermediate CA certificates, and
7337 // may contain the leaf TSA certificate if not present in the
7338 // timestamurce.
7339 "tsaCertChain"?: string
7340 }
7341
7342 // KMS provides the URI to the public key stored in a Key
7343 // Management System. See:
7344 // https://github.com/sigstore/cosign/blob/main/KMS.md
7345 "kms"?: string
7346
7347 // Keys is a set of X.509 public keys used to verify image
7348 // signatures. The keys can be directly
7349 // specified or can be a variable reference to a key specified in
7350 // a ConfigMap (see
7351 // https://kyverno.io/docs/writing-policies/variables/), or
7352 // reference a standard Kubernetes Secret
7353 // elsewhere in the cluster by specifying it in the format
7354 // "k8s://<namespace>/<secret_name>".
7355 // The named Secret must specify a key `cosign.pub` containing the
7356 // public key used for
7357 // verification, (see
7358 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7359 // When multiple keys are specified each key is processed as a
7360 // separate staticKey entry
7361 // (.attestors[*].entries.keys) within the set of attestors and
7362 // the count is applied across the keys.
7363 "publicKeys"?: string
7364
7365 // Rekor provides configuration for the Rekor transparency log
7366 // service. If an empty object
7367 // is provided the public instance of Rekor
7368 // (https://rekor.sigstore.dev) is used.
7369 "rekor"?: {
7370 // IgnoreTlog skips transparency log verification.
7371 "ignoreTlog"?: bool
7372
7373 // RekorPubKey is an optional PEM-encoded public key to use for a
7374 // custom Rekor.
7375 // If set, this will be used to validate transparency log
7376 // signatures from a custom Rekor.
7377 "pubkey"?: string
7378
7379 // URL is the address of the transparency log. Defaults to the
7380 // public Rekor log instance https://rekor.sigstore.dev.
7381 "url"?: string
7382 }
7383
7384 // Reference to a Secret resource that contains a public key
7385 "secret"?: {
7386 // Name of the secret. The provided secret must contain a key
7387 // named cosign.pub.
7388 "name"!: string
7389
7390 // Namespace name where the Secret exists.
7391 "namespace"!: string
7392 }
7393
7394 // Deprecated. Use attestor.signatureAlgorithm instead.
7395 "signatureAlgorithm"?: string
7396 }
7397
7398 // Repository is an optional alternate OCI repository to use for
7399 // signatures and attestations that match this rule.
7400 // If specified Repository will override other OCI image
7401 // repository locations for this Attestor.
7402 "repository"?: string
7403
7404 // Specify signature algorithm for public keys. Supported values
7405 // are sha224, sha256, sha384 and sha512.
7406 "signatureAlgorithm"?: string
7407 }]
7408 }]
7409
7410 // DryRun configuration
7411 "dryRun"?: {
7412 "enable"?: bool
7413 "namespace"?: string
7414 }
7415
7416 // Fields which will be ignored while comparing manifests.
7417 "ignoreFields"?: [...{
7418 "fields"?: [...string]
7419 "objects"?: [...{
7420 "group"?: string
7421 "kind"?: string
7422 "name"?: string
7423 "namespace"?: string
7424 "version"?: string
7425 }]
7426 }]
7427
7428 // Repository is an optional alternate OCI repository to use for
7429 // resource bundle reference.
7430 // The repository can be overridden per Attestor or Attestation.
7431 "repository"?: string
7432 }
7433
7434 // Message specifies a custom message to be displayed on failure.
7435 "message"?: string
7436
7437 // Pattern specifies an overlay-style pattern used to check
7438 // resources.
7439 "pattern"?: null | bool | number | string | [...] | {
7440 ...
7441 }
7442
7443 // PodSecurity applies exemptions for Kubernetes Pod Security
7444 // admission
7445 // by specifying exclusions for Pod Security Standards controls.
7446 "podSecurity"?: {
7447 // Exclude specifies the Pod Security Standard controls to be
7448 // excluded.
7449 "exclude"?: [...{
7450 // ControlName specifies the name of the Pod Security Standard
7451 // control.
7452 // See:
7453 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
7454 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7455
7456 // Images selects matching containers and applies the container
7457 // level PSS.
7458 // Each image is the image name consisting of the registry
7459 // address, repository, image, and tag.
7460 // Empty list matches no containers, PSS checks are applied at the
7461 // pod level only.
7462 // Wildcards ('*' and '?') are allowed. See:
7463 // https://kubernetes.io/docs/concepts/containers/images.
7464 "images"?: [...string]
7465
7466 // RestrictedField selects the field for the given Pod Security
7467 // Standard control.
7468 // When not set, all restricted fields for the control are
7469 // selected.
7470 "restrictedField"?: string
7471
7472 // Values defines the allowed values that can be excluded.
7473 "values"?: [...string]
7474 }]
7475
7476 // Level defines the Pod Security Standard level to be applied to
7477 // workloads.
7478 // Allowed values are privileged, baseline, and restricted.
7479 "level"?: "privileged" | "baseline" | "restricted"
7480
7481 // Version defines the Pod Security Standard versions that
7482 // Kubernetes supports.
7483 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7484 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7485 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7486 }
7487 }
7488
7489 // VerifyImages is used to verify image signatures and mutate them
7490 // to add a digest
7491 "verifyImages"?: [...{
7492 // Deprecated.
7493 "additionalExtensions"?: [string]: string
7494
7495 // Deprecated. Use annotations per Attestor instead.
7496 "annotations"?: {
7497 [string]: string
7498 }
7499
7500 // Attestations are optional checks for signed in-toto Statements
7501 // used to verify the image.
7502 // See https://github.com/in-toto/attestation. Kyverno fetches
7503 // signed attestations from the
7504 // OCI registry and decodes them into a list of Statement
7505 // declarations.
7506 "attestations"?: [...{
7507 // Attestors specify the required attestors (i.e. authorities).
7508 "attestors"?: [...{
7509 // Count specifies the required number of entries that must match.
7510 // If the count is null, all entries must match
7511 // (a logical AND). If the count is 1, at least one entry must
7512 // match (a logical OR). If the count contains a
7513 // value N, then N must be less than or equal to the size of
7514 // entries, and at least N entries must match.
7515 "count"?: int & >=1
7516
7517 // Entries contains the available attestors. An attestor can be a
7518 // static key,
7519 // attributes for keyless verification, or a nested attestor
7520 // declaration.
7521 "entries"?: [...{
7522 // Annotations are used for image verification.
7523 // Every specified key-value pair must exist and match in the
7524 // verified payload.
7525 // The payload may contain other key-value pairs.
7526 "annotations"?: [string]: string
7527
7528 // Attestor is a nested set of Attestor used to specify a more
7529 // complex set of match authorities.
7530 "attestor"?: null | bool | number | string | [...] | {
7531 ...
7532 }
7533
7534 // Certificates specifies one or more certificates.
7535 "certificates"?: {
7536 // Cert is an optional PEM-encoded public certificate.
7537 "cert"?: string
7538
7539 // CertChain is an optional PEM encoded set of certificates used
7540 // to verify.
7541 "certChain"?: string
7542
7543 // CTLog (certificate timestamp log) provides a configuration for
7544 // validation of Signed Certificate
7545 // Timestamps (SCTs). If the value is unset, the default behavior
7546 // by Cosign is used.
7547 "ctlog"?: {
7548 // IgnoreSCT defines whether to use the Signed Certificate
7549 // Timestamp (SCT) log to check for a certificate
7550 // timestamp. Default is false. Set to true if this was opted out
7551 // during signing.
7552 "ignoreSCT"?: bool
7553
7554 // PubKey, if set, is used to validate SCTs against a custom
7555 // source.
7556 "pubkey"?: string
7557
7558 // TSACertChain, if set, is the PEM-encoded certificate chain file
7559 // for the RFC3161 timestamp authority. Must
7560 // contain the root CA certificate. Optionally may contain
7561 // intermediate CA certificates, and
7562 // may contain the leaf TSA certificate if not present in the
7563 // timestamurce.
7564 "tsaCertChain"?: string
7565 }
7566
7567 // Rekor provides configuration for the Rekor transparency log
7568 // service. If an empty object
7569 // is provided the public instance of Rekor
7570 // (https://rekor.sigstore.dev) is used.
7571 "rekor"?: {
7572 // IgnoreTlog skips transparency log verification.
7573 "ignoreTlog"?: bool
7574
7575 // RekorPubKey is an optional PEM-encoded public key to use for a
7576 // custom Rekor.
7577 // If set, this will be used to validate transparency log
7578 // signatures from a custom Rekor.
7579 "pubkey"?: string
7580
7581 // URL is the address of the transparency log. Defaults to the
7582 // public Rekor log instance https://rekor.sigstore.dev.
7583 "url"?: string
7584 }
7585 }
7586
7587 // Keyless is a set of attribute used to verify a Sigstore keyless
7588 // attestor.
7589 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7590 "keyless"?: {
7591 // AdditionalExtensions are certificate-extensions used for
7592 // keyless signing.
7593 "additionalExtensions"?: [string]: string
7594
7595 // CTLog (certificate timestamp log) provides a configuration for
7596 // validation of Signed Certificate
7597 // Timestamps (SCTs). If the value is unset, the default behavior
7598 // by Cosign is used.
7599 "ctlog"?: {
7600 // IgnoreSCT defines whether to use the Signed Certificate
7601 // Timestamp (SCT) log to check for a certificate
7602 // timestamp. Default is false. Set to true if this was opted out
7603 // during signing.
7604 "ignoreSCT"?: bool
7605
7606 // PubKey, if set, is used to validate SCTs against a custom
7607 // source.
7608 "pubkey"?: string
7609
7610 // TSACertChain, if set, is the PEM-encoded certificate chain file
7611 // for the RFC3161 timestamp authority. Must
7612 // contain the root CA certificate. Optionally may contain
7613 // intermediate CA certificates, and
7614 // may contain the leaf TSA certificate if not present in the
7615 // timestamurce.
7616 "tsaCertChain"?: string
7617 }
7618
7619 // Issuer is the certificate issuer used for keyless signing.
7620 "issuer"?: string
7621
7622 // IssuerRegExp is the regular expression to match certificate
7623 // issuer used for keyless signing.
7624 "issuerRegExp"?: string
7625
7626 // Rekor provides configuration for the Rekor transparency log
7627 // service. If an empty object
7628 // is provided the public instance of Rekor
7629 // (https://rekor.sigstore.dev) is used.
7630 "rekor"?: {
7631 // IgnoreTlog skips transparency log verification.
7632 "ignoreTlog"?: bool
7633
7634 // RekorPubKey is an optional PEM-encoded public key to use for a
7635 // custom Rekor.
7636 // If set, this will be used to validate transparency log
7637 // signatures from a custom Rekor.
7638 "pubkey"?: string
7639
7640 // URL is the address of the transparency log. Defaults to the
7641 // public Rekor log instance https://rekor.sigstore.dev.
7642 "url"?: string
7643 }
7644
7645 // Roots is an optional set of PEM encoded trusted root
7646 // certificates.
7647 // If not provided, the system roots are used.
7648 "roots"?: string
7649
7650 // Subject is the verified identity used for keyless signing, for
7651 // example the email address.
7652 "subject"?: string
7653
7654 // SubjectRegExp is the regular expression to match identity used
7655 // for keyless signing, for example the email address.
7656 "subjectRegExp"?: string
7657 }
7658
7659 // Keys specifies one or more public keys.
7660 "keys"?: {
7661 // CTLog (certificate timestamp log) provides a configuration for
7662 // validation of Signed Certificate
7663 // Timestamps (SCTs). If the value is unset, the default behavior
7664 // by Cosign is used.
7665 "ctlog"?: {
7666 // IgnoreSCT defines whether to use the Signed Certificate
7667 // Timestamp (SCT) log to check for a certificate
7668 // timestamp. Default is false. Set to true if this was opted out
7669 // during signing.
7670 "ignoreSCT"?: bool
7671
7672 // PubKey, if set, is used to validate SCTs against a custom
7673 // source.
7674 "pubkey"?: string
7675
7676 // TSACertChain, if set, is the PEM-encoded certificate chain file
7677 // for the RFC3161 timestamp authority. Must
7678 // contain the root CA certificate. Optionally may contain
7679 // intermediate CA certificates, and
7680 // may contain the leaf TSA certificate if not present in the
7681 // timestamurce.
7682 "tsaCertChain"?: string
7683 }
7684
7685 // KMS provides the URI to the public key stored in a Key
7686 // Management System. See:
7687 // https://github.com/sigstore/cosign/blob/main/KMS.md
7688 "kms"?: string
7689
7690 // Keys is a set of X.509 public keys used to verify image
7691 // signatures. The keys can be directly
7692 // specified or can be a variable reference to a key specified in
7693 // a ConfigMap (see
7694 // https://kyverno.io/docs/writing-policies/variables/), or
7695 // reference a standard Kubernetes Secret
7696 // elsewhere in the cluster by specifying it in the format
7697 // "k8s://<namespace>/<secret_name>".
7698 // The named Secret must specify a key `cosign.pub` containing the
7699 // public key used for
7700 // verification, (see
7701 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7702 // When multiple keys are specified each key is processed as a
7703 // separate staticKey entry
7704 // (.attestors[*].entries.keys) within the set of attestors and
7705 // the count is applied across the keys.
7706 "publicKeys"?: string
7707
7708 // Rekor provides configuration for the Rekor transparency log
7709 // service. If an empty object
7710 // is provided the public instance of Rekor
7711 // (https://rekor.sigstore.dev) is used.
7712 "rekor"?: {
7713 // IgnoreTlog skips transparency log verification.
7714 "ignoreTlog"?: bool
7715
7716 // RekorPubKey is an optional PEM-encoded public key to use for a
7717 // custom Rekor.
7718 // If set, this will be used to validate transparency log
7719 // signatures from a custom Rekor.
7720 "pubkey"?: string
7721
7722 // URL is the address of the transparency log. Defaults to the
7723 // public Rekor log instance https://rekor.sigstore.dev.
7724 "url"?: string
7725 }
7726
7727 // Reference to a Secret resource that contains a public key
7728 "secret"?: {
7729 // Name of the secret. The provided secret must contain a key
7730 // named cosign.pub.
7731 "name"!: string
7732
7733 // Namespace name where the Secret exists.
7734 "namespace"!: string
7735 }
7736
7737 // Deprecated. Use attestor.signatureAlgorithm instead.
7738 "signatureAlgorithm"?: string
7739 }
7740
7741 // Repository is an optional alternate OCI repository to use for
7742 // signatures and attestations that match this rule.
7743 // If specified Repository will override other OCI image
7744 // repository locations for this Attestor.
7745 "repository"?: string
7746
7747 // Specify signature algorithm for public keys. Supported values
7748 // are sha224, sha256, sha384 and sha512.
7749 "signatureAlgorithm"?: string
7750 }]
7751 }]
7752
7753 // Conditions are used to verify attributes within a Predicate. If
7754 // no Conditions are specified
7755 // the attestation check is satisfied as long there are predicates
7756 // that match the predicate type.
7757 "conditions"?: [...{
7758 // AllConditions enable variable-based conditional rule execution.
7759 // This is useful for
7760 // finer control of when an rule is applied. A condition can
7761 // reference object data
7762 // using JMESPath notation.
7763 // Here, all of the conditions need to pass
7764 "all"?: [...{
7765 // Key is the context entry (using JMESPath) for conditional rule
7766 // evaluation.
7767 "key"?: null | bool | number | string | [...] | {
7768 ...
7769 }
7770
7771 // Message is an optional display message
7772 "message"?: string
7773
7774 // Operator is the conditional operation to perform. Valid
7775 // operators are:
7776 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7777 // GreaterThanOrEquals,
7778 // GreaterThan, LessThanOrEquals, LessThan,
7779 // DurationGreaterThanOrEquals, DurationGreaterThan,
7780 // DurationLessThanOrEquals, DurationLessThan
7781 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7782
7783 // Value is the conditional value, or set of values. The values
7784 // can be fixed set
7785 // or can be variables declared using JMESPath.
7786 "value"?: null | bool | number | string | [...] | {
7787 ...
7788 }
7789 }]
7790
7791 // AnyConditions enable variable-based conditional rule execution.
7792 // This is useful for
7793 // finer control of when an rule is applied. A condition can
7794 // reference object data
7795 // using JMESPath notation.
7796 // Here, at least one of the conditions need to pass
7797 "any"?: [...{
7798 // Key is the context entry (using JMESPath) for conditional rule
7799 // evaluation.
7800 "key"?: null | bool | number | string | [...] | {
7801 ...
7802 }
7803
7804 // Message is an optional display message
7805 "message"?: string
7806
7807 // Operator is the conditional operation to perform. Valid
7808 // operators are:
7809 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7810 // GreaterThanOrEquals,
7811 // GreaterThan, LessThanOrEquals, LessThan,
7812 // DurationGreaterThanOrEquals, DurationGreaterThan,
7813 // DurationLessThanOrEquals, DurationLessThan
7814 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7815
7816 // Value is the conditional value, or set of values. The values
7817 // can be fixed set
7818 // or can be variables declared using JMESPath.
7819 "value"?: null | bool | number | string | [...] | {
7820 ...
7821 }
7822 }]
7823 }]
7824
7825 // Name is the variable name.
7826 "name"?: string
7827
7828 // Deprecated in favour of 'Type', to be removed soon
7829 "predicateType"?: string
7830
7831 // Type defines the type of attestation contained within the
7832 // Statement.
7833 "type"?: string
7834 }]
7835
7836 // Attestors specified the required attestors (i.e. authorities)
7837 "attestors"?: [...{
7838 // Count specifies the required number of entries that must match.
7839 // If the count is null, all entries must match
7840 // (a logical AND). If the count is 1, at least one entry must
7841 // match (a logical OR). If the count contains a
7842 // value N, then N must be less than or equal to the size of
7843 // entries, and at least N entries must match.
7844 "count"?: int & >=1
7845
7846 // Entries contains the available attestors. An attestor can be a
7847 // static key,
7848 // attributes for keyless verification, or a nested attestor
7849 // declaration.
7850 "entries"?: [...{
7851 // Annotations are used for image verification.
7852 // Every specified key-value pair must exist and match in the
7853 // verified payload.
7854 // The payload may contain other key-value pairs.
7855 "annotations"?: [string]: string
7856
7857 // Attestor is a nested set of Attestor used to specify a more
7858 // complex set of match authorities.
7859 "attestor"?: null | bool | number | string | [...] | {
7860 ...
7861 }
7862
7863 // Certificates specifies one or more certificates.
7864 "certificates"?: {
7865 // Cert is an optional PEM-encoded public certificate.
7866 "cert"?: string
7867
7868 // CertChain is an optional PEM encoded set of certificates used
7869 // to verify.
7870 "certChain"?: string
7871
7872 // CTLog (certificate timestamp log) provides a configuration for
7873 // validation of Signed Certificate
7874 // Timestamps (SCTs). If the value is unset, the default behavior
7875 // by Cosign is used.
7876 "ctlog"?: {
7877 // IgnoreSCT defines whether to use the Signed Certificate
7878 // Timestamp (SCT) log to check for a certificate
7879 // timestamp. Default is false. Set to true if this was opted out
7880 // during signing.
7881 "ignoreSCT"?: bool
7882
7883 // PubKey, if set, is used to validate SCTs against a custom
7884 // source.
7885 "pubkey"?: string
7886
7887 // TSACertChain, if set, is the PEM-encoded certificate chain file
7888 // for the RFC3161 timestamp authority. Must
7889 // contain the root CA certificate. Optionally may contain
7890 // intermediate CA certificates, and
7891 // may contain the leaf TSA certificate if not present in the
7892 // timestamurce.
7893 "tsaCertChain"?: string
7894 }
7895
7896 // Rekor provides configuration for the Rekor transparency log
7897 // service. If an empty object
7898 // is provided the public instance of Rekor
7899 // (https://rekor.sigstore.dev) is used.
7900 "rekor"?: {
7901 // IgnoreTlog skips transparency log verification.
7902 "ignoreTlog"?: bool
7903
7904 // RekorPubKey is an optional PEM-encoded public key to use for a
7905 // custom Rekor.
7906 // If set, this will be used to validate transparency log
7907 // signatures from a custom Rekor.
7908 "pubkey"?: string
7909
7910 // URL is the address of the transparency log. Defaults to the
7911 // public Rekor log instance https://rekor.sigstore.dev.
7912 "url"?: string
7913 }
7914 }
7915
7916 // Keyless is a set of attribute used to verify a Sigstore keyless
7917 // attestor.
7918 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7919 "keyless"?: {
7920 // AdditionalExtensions are certificate-extensions used for
7921 // keyless signing.
7922 "additionalExtensions"?: [string]: string
7923
7924 // CTLog (certificate timestamp log) provides a configuration for
7925 // validation of Signed Certificate
7926 // Timestamps (SCTs). If the value is unset, the default behavior
7927 // by Cosign is used.
7928 "ctlog"?: {
7929 // IgnoreSCT defines whether to use the Signed Certificate
7930 // Timestamp (SCT) log to check for a certificate
7931 // timestamp. Default is false. Set to true if this was opted out
7932 // during signing.
7933 "ignoreSCT"?: bool
7934
7935 // PubKey, if set, is used to validate SCTs against a custom
7936 // source.
7937 "pubkey"?: string
7938
7939 // TSACertChain, if set, is the PEM-encoded certificate chain file
7940 // for the RFC3161 timestamp authority. Must
7941 // contain the root CA certificate. Optionally may contain
7942 // intermediate CA certificates, and
7943 // may contain the leaf TSA certificate if not present in the
7944 // timestamurce.
7945 "tsaCertChain"?: string
7946 }
7947
7948 // Issuer is the certificate issuer used for keyless signing.
7949 "issuer"?: string
7950
7951 // IssuerRegExp is the regular expression to match certificate
7952 // issuer used for keyless signing.
7953 "issuerRegExp"?: string
7954
7955 // Rekor provides configuration for the Rekor transparency log
7956 // service. If an empty object
7957 // is provided the public instance of Rekor
7958 // (https://rekor.sigstore.dev) is used.
7959 "rekor"?: {
7960 // IgnoreTlog skips transparency log verification.
7961 "ignoreTlog"?: bool
7962
7963 // RekorPubKey is an optional PEM-encoded public key to use for a
7964 // custom Rekor.
7965 // If set, this will be used to validate transparency log
7966 // signatures from a custom Rekor.
7967 "pubkey"?: string
7968
7969 // URL is the address of the transparency log. Defaults to the
7970 // public Rekor log instance https://rekor.sigstore.dev.
7971 "url"?: string
7972 }
7973
7974 // Roots is an optional set of PEM encoded trusted root
7975 // certificates.
7976 // If not provided, the system roots are used.
7977 "roots"?: string
7978
7979 // Subject is the verified identity used for keyless signing, for
7980 // example the email address.
7981 "subject"?: string
7982
7983 // SubjectRegExp is the regular expression to match identity used
7984 // for keyless signing, for example the email address.
7985 "subjectRegExp"?: string
7986 }
7987
7988 // Keys specifies one or more public keys.
7989 "keys"?: {
7990 // CTLog (certificate timestamp log) provides a configuration for
7991 // validation of Signed Certificate
7992 // Timestamps (SCTs). If the value is unset, the default behavior
7993 // by Cosign is used.
7994 "ctlog"?: {
7995 // IgnoreSCT defines whether to use the Signed Certificate
7996 // Timestamp (SCT) log to check for a certificate
7997 // timestamp. Default is false. Set to true if this was opted out
7998 // during signing.
7999 "ignoreSCT"?: bool
8000
8001 // PubKey, if set, is used to validate SCTs against a custom
8002 // source.
8003 "pubkey"?: string
8004
8005 // TSACertChain, if set, is the PEM-encoded certificate chain file
8006 // for the RFC3161 timestamp authority. Must
8007 // contain the root CA certificate. Optionally may contain
8008 // intermediate CA certificates, and
8009 // may contain the leaf TSA certificate if not present in the
8010 // timestamurce.
8011 "tsaCertChain"?: string
8012 }
8013
8014 // KMS provides the URI to the public key stored in a Key
8015 // Management System. See:
8016 // https://github.com/sigstore/cosign/blob/main/KMS.md
8017 "kms"?: string
8018
8019 // Keys is a set of X.509 public keys used to verify image
8020 // signatures. The keys can be directly
8021 // specified or can be a variable reference to a key specified in
8022 // a ConfigMap (see
8023 // https://kyverno.io/docs/writing-policies/variables/), or
8024 // reference a standard Kubernetes Secret
8025 // elsewhere in the cluster by specifying it in the format
8026 // "k8s://<namespace>/<secret_name>".
8027 // The named Secret must specify a key `cosign.pub` containing the
8028 // public key used for
8029 // verification, (see
8030 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
8031 // When multiple keys are specified each key is processed as a
8032 // separate staticKey entry
8033 // (.attestors[*].entries.keys) within the set of attestors and
8034 // the count is applied across the keys.
8035 "publicKeys"?: string
8036
8037 // Rekor provides configuration for the Rekor transparency log
8038 // service. If an empty object
8039 // is provided the public instance of Rekor
8040 // (https://rekor.sigstore.dev) is used.
8041 "rekor"?: {
8042 // IgnoreTlog skips transparency log verification.
8043 "ignoreTlog"?: bool
8044
8045 // RekorPubKey is an optional PEM-encoded public key to use for a
8046 // custom Rekor.
8047 // If set, this will be used to validate transparency log
8048 // signatures from a custom Rekor.
8049 "pubkey"?: string
8050
8051 // URL is the address of the transparency log. Defaults to the
8052 // public Rekor log instance https://rekor.sigstore.dev.
8053 "url"?: string
8054 }
8055
8056 // Reference to a Secret resource that contains a public key
8057 "secret"?: {
8058 // Name of the secret. The provided secret must contain a key
8059 // named cosign.pub.
8060 "name"!: string
8061
8062 // Namespace name where the Secret exists.
8063 "namespace"!: string
8064 }
8065
8066 // Deprecated. Use attestor.signatureAlgorithm instead.
8067 "signatureAlgorithm"?: string
8068 }
8069
8070 // Repository is an optional alternate OCI repository to use for
8071 // signatures and attestations that match this rule.
8072 // If specified Repository will override other OCI image
8073 // repository locations for this Attestor.
8074 "repository"?: string
8075
8076 // Specify signature algorithm for public keys. Supported values
8077 // are sha224, sha256, sha384 and sha512.
8078 "signatureAlgorithm"?: string
8079 }]
8080 }]
8081
8082 // CosignOCI11 enables the experimental OCI 1.1 behaviour in
8083 // cosign image verification.
8084 // Defaults to false.
8085 "cosignOCI11"?: bool
8086
8087 // Allowed values are Audit or Enforce.
8088 "failureAction"?: "Audit" | "Enforce"
8089
8090 // Deprecated. Use ImageReferences instead.
8091 "image"?: string
8092
8093 // ImageReferences is a list of matching image reference patterns.
8094 // At least one pattern in the
8095 // list must match the image for the rule to apply. Each image
8096 // reference consists of a registry
8097 // address (defaults to docker.io), repository, image, and tag
8098 // (defaults to latest).
8099 // Wildcards ('*' and '?') are allowed. See:
8100 // https://kubernetes.io/docs/concepts/containers/images.
8101 "imageReferences"?: [...string]
8102
8103 // ImageRegistryCredentials provides credentials that will be used
8104 // for authentication with registry.
8105 "imageRegistryCredentials"?: {
8106 // AllowInsecureRegistry allows insecure access to a registry.
8107 "allowInsecureRegistry"?: bool
8108
8109 // Providers specifies a list of OCI Registry names, whose
8110 // authentication providers are provided.
8111 // It can be of one of these values:
8112 // default,google,azure,amazon,github.
8113 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
8114
8115 // Secrets specifies a list of secrets that are provided for
8116 // credentials.
8117 // Secrets must live in the Kyverno namespace.
8118 "secrets"?: [...string]
8119 }
8120
8121 // Deprecated. Use KeylessAttestor instead.
8122 "issuer"?: string
8123
8124 // Deprecated. Use StaticKeyAttestor instead.
8125 "key"?: string
8126
8127 // MutateDigest enables replacement of image tags with digests.
8128 // Defaults to true.
8129 "mutateDigest"?: bool
8130
8131 // Repository is an optional alternate OCI repository to use for
8132 // image signatures and attestations that match this rule.
8133 // If specified Repository will override the default OCI image
8134 // repository configured for the installation.
8135 // The repository can also be overridden per Attestor or
8136 // Attestation.
8137 "repository"?: string
8138
8139 // Required validates that images are verified i.e. have matched
8140 // passed a signature or attestation check.
8141 "required"?: bool
8142
8143 // Deprecated. Use KeylessAttestor instead.
8144 "roots"?: string
8145
8146 // SkipImageReferences is a list of matching image reference
8147 // patterns that should be skipped.
8148 // At least one pattern in the list must match the image for the
8149 // rule to be skipped. Each image reference
8150 // consists of a registry address (defaults to docker.io),
8151 // repository, image, and tag (defaults to latest).
8152 // Wildcards ('*' and '?') are allowed. See:
8153 // https://kubernetes.io/docs/concepts/containers/images.
8154 "skipImageReferences"?: [...string]
8155
8156 // Deprecated. Use KeylessAttestor instead.
8157 "subject"?: string
8158
8159 // Type specifies the method of signature validation. The allowed
8160 // options
8161 // are Cosign, Sigstore Bundle and Notary. By default Cosign is
8162 // used if a type is not specified.
8163 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
8164
8165 // UseCache enables caching of image verify responses for this
8166 // rule.
8167 "useCache"?: bool
8168
8169 // Validation checks conditions across multiple image
8170 // verification attestations or context entries
8171 "validate"?: {
8172 // Deny defines conditions used to pass or fail a validation rule.
8173 "deny"?: {
8174 // Multiple conditions can be declared under an `any` or `all`
8175 // statement. A direct list
8176 // of conditions (without `any` or `all` statements) is also
8177 // supported for backwards compatibility
8178 // but will be deprecated in the next major release.
8179 // See:
8180 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
8181 "conditions"?: null | bool | number | string | [...] | {
8182 ...
8183 }
8184 }
8185
8186 // Message specifies a custom message to be displayed on failure.
8187 "message"?: string
8188 }
8189
8190 // VerifyDigest validates that images have a digest.
8191 "verifyDigest"?: bool
8192 }]
8193 }]
8194 }
8195 "conditions"?: [...{
8196 // lastTransitionTime is the last time the condition transitioned
8197 // from one status to another.
8198 // This should be when the underlying condition changed. If that
8199 // is not known, then using the time when the API field changed
8200 // is acceptable.
8201 "lastTransitionTime"!: time.Time
8202
8203 // message is a human readable message indicating details about
8204 // the transition.
8205 // This may be an empty string.
8206 "message"!: strings.MaxRunes(
8207 32768)
8208
8209 // observedGeneration represents the .metadata.generation that the
8210 // condition was set based upon.
8211 // For instance, if .metadata.generation is currently 12, but the
8212 // .status.conditions[x].observedGeneration is 9, the condition
8213 // is out of date
8214 // with respect to the current state of the instance.
8215 "observedGeneration"?: int64 & int & >=0
8216
8217 // reason contains a programmatic identifier indicating the reason
8218 // for the condition's last transition.
8219 // Producers of specific condition types may define expected
8220 // values and meanings for this field,
8221 // and whether the values are considered a guaranteed API.
8222 // The value should be a CamelCase string.
8223 // This field may not be empty.
8224 "reason"!: strings.MaxRunes(
8225 1024) & strings.MinRunes(
8226 1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
8227
8228 // status of the condition, one of True, False, Unknown.
8229 "status"!: "True" | "False" | "Unknown"
8230
8231 // type of condition in CamelCase or in foo.example.com/CamelCase.
8232 "type"!: strings.MaxRunes(
8233 316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
8234 }]
8235
8236 // Deprecated in favor of Conditions
8237 "ready"?: bool
8238
8239 // RuleCountStatus contains four variables which describes counts
8240 // for
8241 // validate, generate, mutate and verify images rules
8242 "rulecount"?: {
8243 // Count for generate rules in policy
8244 "generate"!: int
8245
8246 // Count for mutate rules in policy
8247 "mutate"!: int
8248
8249 // Count for validate rules in policy
8250 "validate"!: int
8251
8252 // Count for verify image rules in policy
8253 "verifyimages"!: int
8254 }
8255
8256 // ValidatingAdmissionPolicy contains status information
8257 "validatingadmissionpolicy"?: {
8258 // Generated indicates whether a validating admission policy is
8259 // generated from the policy or not
8260 "generated"!: bool
8261
8262 // Message is a human readable message indicating details about
8263 // the generation of validating admission policy
8264 // It is an empty string when validating admission policy is
8265 // successfully generated.
8266 "message"!: string
8267 }
8268 }
8269
8270 _embeddedResource: {
8271 "apiVersion"!: string
8272 "kind"!: string
8273 "metadata"?: {
8274 ...
8275 }
8276 }
8277 apiVersion: "kyverno.io/v1"
8278 kind: "Policy"
8279 metadata!: {
8280 "name"!: string
8281 "namespace"!: string
8282 "labels"?: {
8283 [string]: string
8284 }
8285 "annotations"?: {
8286 [string]: string
8287 }
8288 ...
8289 }
8290}