1package v2beta1
2
3import (
4 "strings"
5 "time"
6)
7
8// Policy declares validation, mutation, and generation behaviors
9// for matching resources.
10// See: https://kyverno.io/docs/writing-policies/ for more
11// information.
12#Policy: {
13 _embeddedResource
14
15 // APIVersion defines the versioned schema of this representation
16 // of an object.
17 // Servers should convert recognized schemas to the latest
18 // internal value, and
19 // may reject unrecognized values.
20 // More info:
21 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
22 "apiVersion"?: string
23
24 // Kind is a string value representing the REST resource this
25 // object represents.
26 // Servers may infer this from the endpoint the client submits
27 // requests to.
28 // Cannot be updated.
29 // In CamelCase.
30 // More info:
31 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
32 "kind"?: string
33 "metadata"?: {}
34
35 // Spec defines policy behaviors and contains one or more rules.
36 "spec"!: {
37 // Admission controls if rules are applied during admission.
38 // Optional. Default value is "true".
39 "admission"?: bool
40
41 // ApplyRules controls how rules in a policy are applied. Rule are
42 // processed in
43 // the order of declaration. When set to `One` processing stops
44 // after a rule has
45 // been applied i.e. the rule matches and results in a pass, fail,
46 // or error. When
47 // set to `All` all rules in the policy are processed. The default
48 // is `All`.
49 "applyRules"?: "All" | "One"
50
51 // Background controls if rules are applied to existing resources
52 // during a background scan.
53 // Optional. Default value is "true". The value must be set to
54 // "false" if the policy rule
55 // uses variables that are only available in the admission review
56 // request (e.g. user name).
57 "background"?: bool
58
59 // EmitWarning enables API response warnings for mutate policy
60 // rules or validate policy rules with validationFailureAction
61 // set to Audit.
62 // Enabling this option will extend admission request processing
63 // times. The default value is "false".
64 "emitWarning"?: bool
65
66 // Deprecated, use failurePolicy under the webhookConfiguration
67 // instead.
68 "failurePolicy"?: "Ignore" | "Fail"
69
70 // Deprecated, use generateExisting under the generate rule
71 // instead
72 "generateExisting"?: bool
73
74 // Deprecated, use generateExisting instead
75 "generateExistingOnPolicyUpdate"?: bool
76
77 // Deprecated, use mutateExistingOnPolicyUpdate under the mutate
78 // rule instead
79 "mutateExistingOnPolicyUpdate"?: bool
80
81 // Rules is a list of Rule instances. A Policy contains multiple
82 // rules and
83 // each rule can validate, mutate, or generate resources.
84 "rules"?: [...{
85 // CELPreconditions are used to determine if a policy rule should
86 // be applied by evaluating a
87 // set of CEL conditions. It can only be used with the
88 // validate.cel subrule
89 "celPreconditions"?: [...{
90 // Expression represents the expression which will be evaluated by
91 // CEL. Must evaluate to bool.
92 // CEL expressions have access to the contents of the
93 // AdmissionRequest and Authorizer, organized into CEL variables:
94 //
95 // 'object' - The object from the incoming request. The value is
96 // null for DELETE requests.
97 // 'oldObject' - The existing object. The value is null for CREATE
98 // requests.
99 // 'request' - Attributes of the admission
100 // request(/pkg/apis/admission/types.go#AdmissionRequest).
101 // 'authorizer' - A CEL Authorizer. May be used to perform
102 // authorization checks for the principal (user or service
103 // account) of the request.
104 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
105 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
106 // from the 'authorizer' and configured with the
107 // request resource.
108 // Documentation on CEL:
109 // https://kubernetes.io/docs/reference/using-api/cel/
110 //
111 // Required.
112 "expression"!: string
113
114 // Name is an identifier for this match condition, used for
115 // strategic merging of MatchConditions,
116 // as well as providing an identifier for logging purposes. A good
117 // name should be descriptive of
118 // the associated expression.
119 // Name must be a qualified name consisting of alphanumeric
120 // characters, '-', '_' or '.', and
121 // must start and end with an alphanumeric character (e.g.
122 // 'MyName', or 'my.name', or
123 // '123-abc', regex used for validation is
124 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
125 // optional DNS subdomain prefix and '/' (e.g.
126 // 'example.com/MyName')
127 //
128 // Required.
129 "name"!: string
130 }]
131
132 // Context defines variables and data sources that can be used
133 // during rule execution.
134 "context"?: [...matchN(1, [{
135 "configMap"!: _
136 }, {
137 "apiCall"!: _
138 }, {
139 "imageRegistry"!: _
140 }, {
141 "variable"!: _
142 }, {
143 "globalReference"!: _
144 }]) & {
145 // APICall is an HTTP request to the Kubernetes API server, or
146 // other JSON web service.
147 // The data returned is stored in the context with the name for
148 // the context entry.
149 "apiCall"?: {
150 // The data object specifies the POST data sent to the server.
151 // Only applicable when the method field is set to POST.
152 "data"?: [...{
153 // Key is a unique identifier for the data value
154 "key"!: string
155
156 // Value is the data value
157 "value"!: null | bool | number | string | [...] | {
158 ...
159 }
160 }]
161
162 // Default is an optional arbitrary JSON object that the context
163 // value is set to, if the apiCall returns error.
164 "default"?: null | bool | number | string | [...] | {
165 ...
166 }
167
168 // JMESPath is an optional JSON Match Expression that can be used
169 // to
170 // transform the JSON response returned from the server. For
171 // example
172 // a JMESPath of "items | length(@)" applied to the API server
173 // response
174 // for the URLPath "/apis/apps/v1/deployments" will return the
175 // total count
176 // of deployments across all namespaces.
177 "jmesPath"?: string
178
179 // Method is the HTTP request type (GET or POST). Defaults to GET.
180 "method"?: "GET" | "POST"
181
182 // Service is an API call to a JSON web service.
183 // This is used for non-Kubernetes API server calls.
184 // It's mutually exclusive with the URLPath field.
185 "service"?: {
186 // CABundle is a PEM encoded CA bundle which will be used to
187 // validate
188 // the server certificate.
189 "caBundle"?: string
190
191 // Headers is a list of optional HTTP headers to be included in
192 // the request.
193 "headers"?: [...{
194 // Key is the header key
195 "key"!: string
196
197 // Value is the header value
198 "value"!: string
199 }]
200
201 // URL is the JSON web service URL. A typical form is
202 // `https://{service}.{namespace}:{port}/{path}`.
203 "url"!: string
204 }
205
206 // URLPath is the URL path to be used in the HTTP GET or POST
207 // request to the
208 // Kubernetes API server (e.g. "/api/v1/namespaces" or
209 // "/apis/apps/v1/deployments").
210 // The format required is the same format used by the `kubectl get
211 // --raw` command.
212 // See
213 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
214 // for details.
215 // It's mutually exclusive with the Service field.
216 "urlPath"?: string
217 }
218
219 // ConfigMap is the ConfigMap reference.
220 "configMap"?: {
221 // Name is the ConfigMap name.
222 "name"!: string
223
224 // Namespace is the ConfigMap namespace.
225 "namespace"?: string
226 }
227
228 // GlobalContextEntryReference is a reference to a cached global
229 // context entry.
230 "globalReference"?: {
231 // JMESPath is an optional JSON Match Expression that can be used
232 // to
233 // transform the JSON response returned from the server. For
234 // example
235 // a JMESPath of "items | length(@)" applied to the API server
236 // response
237 // for the URLPath "/apis/apps/v1/deployments" will return the
238 // total count
239 // of deployments across all namespaces.
240 "jmesPath"?: string
241
242 // Name of the global context entry
243 "name"!: string
244 }
245
246 // ImageRegistry defines requests to an OCI/Docker V2 registry to
247 // fetch image
248 // details.
249 "imageRegistry"?: {
250 // ImageRegistryCredentials provides credentials that will be used
251 // for authentication with registry
252 "imageRegistryCredentials"?: {
253 // AllowInsecureRegistry allows insecure access to a registry.
254 "allowInsecureRegistry"?: bool
255
256 // Providers specifies a list of OCI Registry names, whose
257 // authentication providers are provided.
258 // It can be of one of these values:
259 // default,google,azure,amazon,github.
260 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
261
262 // Secrets specifies a list of secrets that are provided for
263 // credentials.
264 // Secrets must live in the Kyverno namespace.
265 "secrets"?: [...string]
266 }
267
268 // JMESPath is an optional JSON Match Expression that can be used
269 // to
270 // transform the ImageData struct returned as a result of
271 // processing
272 // the image reference.
273 "jmesPath"?: string
274
275 // Reference is image reference to a container image in the
276 // registry.
277 // Example: ghcr.io/kyverno/kyverno:latest
278 "reference"!: string
279 }
280
281 // Name is the variable name.
282 "name"!: string
283
284 // Variable defines an arbitrary JMESPath context variable that
285 // can be defined inline.
286 "variable"?: {
287 // Default is an optional arbitrary JSON object that the variable
288 // may take if the JMESPath
289 // expression evaluates to nil
290 "default"?: null | bool | number | string | [...] | {
291 ...
292 }
293
294 // JMESPath is an optional JMESPath Expression that can be used to
295 // transform the variable.
296 "jmesPath"?: string
297
298 // Value is any arbitrary JSON object representable in YAML or
299 // JSON form.
300 "value"?: null | bool | number | string | [...] | {
301 ...
302 }
303 }
304 }]
305
306 // ExcludeResources defines when this policy rule should not be
307 // applied. The exclude
308 // criteria can include resource information (e.g. kind, name,
309 // namespace, labels)
310 // and admission review request information like the name or role.
311 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
312 "any"!: _
313 "all"!: _
314 }]) & {
315 // All allows specifying resources which will be ANDed
316 "all"?: [...{
317 // ClusterRoles is the list of cluster-wide role names for the
318 // user.
319 "clusterRoles"?: [...string]
320
321 // ResourceDescription contains information about the resource
322 // being created or modified.
323 "resources"?: matchN(0, [null | bool | number | string | [...] | {
324 "name"!: _
325 "names"!: _
326 }]) & {
327 // Annotations is a map of annotations (key-value pairs of type
328 // string). Annotation keys
329 // and values support the wildcard characters "*" (matches zero or
330 // many characters) and
331 // "?" (matches at least one character).
332 "annotations"?: [string]: string
333
334 // Kinds is a list of resource kinds.
335 "kinds"?: [...string]
336
337 // Name is the name of the resource. The name supports wildcard
338 // characters
339 // "*" (matches zero or many characters) and "?" (at least one
340 // character).
341 // NOTE: "Name" is being deprecated in favor of "Names".
342 "name"?: string
343
344 // Names are the names of the resources. Each name supports
345 // wildcard characters
346 // "*" (matches zero or many characters) and "?" (at least one
347 // character).
348 "names"?: [...string]
349
350 // NamespaceSelector is a label selector for the resource
351 // namespace. Label keys and values
352 // in `matchLabels` support the wildcard characters `*` (matches
353 // zero or many characters)
354 // and `?` (matches one character).Wildcards allows writing label
355 // selectors like
356 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
357 // any key and value but
358 // does not match an empty label set.
359 "namespaceSelector"?: {
360 // matchExpressions is a list of label selector requirements. The
361 // requirements are ANDed.
362 "matchExpressions"?: [...{
363 // key is the label key that the selector applies to.
364 "key"!: string
365
366 // operator represents a key's relationship to a set of values.
367 // Valid operators are In, NotIn, Exists and DoesNotExist.
368 "operator"!: string
369
370 // values is an array of string values. If the operator is In or
371 // NotIn,
372 // the values array must be non-empty. If the operator is Exists
373 // or DoesNotExist,
374 // the values array must be empty. This array is replaced during a
375 // strategic
376 // merge patch.
377 "values"?: [...string]
378 }]
379
380 // matchLabels is a map of {key,value} pairs. A single {key,value}
381 // in the matchLabels
382 // map is equivalent to an element of matchExpressions, whose key
383 // field is "key", the
384 // operator is "In", and the values array contains only "value".
385 // The requirements are ANDed.
386 "matchLabels"?: {
387 [string]: string
388 }
389 }
390
391 // Namespaces is a list of namespaces names. Each name supports
392 // wildcard characters
393 // "*" (matches zero or many characters) and "?" (at least one
394 // character).
395 "namespaces"?: [...string]
396
397 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
398 // "DELETE"], which are used to match a specific action.
399 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
400
401 // Selector is a label selector. Label keys and values in
402 // `matchLabels` support the wildcard
403 // characters `*` (matches zero or many characters) and `?`
404 // (matches one character).
405 // Wildcards allows writing label selectors like
406 // ["storage.k8s.io/*": "*"]. Note that
407 // using ["*" : "*"] matches any key and value but does not match
408 // an empty label set.
409 "selector"?: {
410 // matchExpressions is a list of label selector requirements. The
411 // requirements are ANDed.
412 "matchExpressions"?: [...{
413 // key is the label key that the selector applies to.
414 "key"!: string
415
416 // operator represents a key's relationship to a set of values.
417 // Valid operators are In, NotIn, Exists and DoesNotExist.
418 "operator"!: string
419
420 // values is an array of string values. If the operator is In or
421 // NotIn,
422 // the values array must be non-empty. If the operator is Exists
423 // or DoesNotExist,
424 // the values array must be empty. This array is replaced during a
425 // strategic
426 // merge patch.
427 "values"?: [...string]
428 }]
429
430 // matchLabels is a map of {key,value} pairs. A single {key,value}
431 // in the matchLabels
432 // map is equivalent to an element of matchExpressions, whose key
433 // field is "key", the
434 // operator is "In", and the values array contains only "value".
435 // The requirements are ANDed.
436 "matchLabels"?: {
437 [string]: string
438 }
439 }
440 }
441
442 // Roles is the list of namespaced role names for the user.
443 "roles"?: [...string]
444
445 // Subjects is the list of subject names like users, user groups,
446 // and service accounts.
447 "subjects"?: [...{
448 // APIGroup holds the API group of the referenced subject.
449 // Defaults to "" for ServiceAccount subjects.
450 // Defaults to "rbac.authorization.k8s.io" for User and Group
451 // subjects.
452 "apiGroup"?: string
453
454 // Kind of object being referenced. Values defined by this API
455 // group are "User", "Group", and "ServiceAccount".
456 // If the Authorizer does not recognized the kind value, the
457 // Authorizer should report an error.
458 "kind"!: string
459
460 // Name of the object being referenced.
461 "name"!: string
462
463 // Namespace of the referenced object. If the object kind is
464 // non-namespace, such as "User" or "Group", and this value is
465 // not empty
466 // the Authorizer should report an error.
467 "namespace"?: string
468 }]
469 }]
470
471 // Any allows specifying resources which will be ORed
472 "any"?: [...{
473 // ClusterRoles is the list of cluster-wide role names for the
474 // user.
475 "clusterRoles"?: [...string]
476
477 // ResourceDescription contains information about the resource
478 // being created or modified.
479 "resources"?: matchN(0, [null | bool | number | string | [...] | {
480 "name"!: _
481 "names"!: _
482 }]) & {
483 // Annotations is a map of annotations (key-value pairs of type
484 // string). Annotation keys
485 // and values support the wildcard characters "*" (matches zero or
486 // many characters) and
487 // "?" (matches at least one character).
488 "annotations"?: [string]: string
489
490 // Kinds is a list of resource kinds.
491 "kinds"?: [...string]
492
493 // Name is the name of the resource. The name supports wildcard
494 // characters
495 // "*" (matches zero or many characters) and "?" (at least one
496 // character).
497 // NOTE: "Name" is being deprecated in favor of "Names".
498 "name"?: string
499
500 // Names are the names of the resources. Each name supports
501 // wildcard characters
502 // "*" (matches zero or many characters) and "?" (at least one
503 // character).
504 "names"?: [...string]
505
506 // NamespaceSelector is a label selector for the resource
507 // namespace. Label keys and values
508 // in `matchLabels` support the wildcard characters `*` (matches
509 // zero or many characters)
510 // and `?` (matches one character).Wildcards allows writing label
511 // selectors like
512 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
513 // any key and value but
514 // does not match an empty label set.
515 "namespaceSelector"?: {
516 // matchExpressions is a list of label selector requirements. The
517 // requirements are ANDed.
518 "matchExpressions"?: [...{
519 // key is the label key that the selector applies to.
520 "key"!: string
521
522 // operator represents a key's relationship to a set of values.
523 // Valid operators are In, NotIn, Exists and DoesNotExist.
524 "operator"!: string
525
526 // values is an array of string values. If the operator is In or
527 // NotIn,
528 // the values array must be non-empty. If the operator is Exists
529 // or DoesNotExist,
530 // the values array must be empty. This array is replaced during a
531 // strategic
532 // merge patch.
533 "values"?: [...string]
534 }]
535
536 // matchLabels is a map of {key,value} pairs. A single {key,value}
537 // in the matchLabels
538 // map is equivalent to an element of matchExpressions, whose key
539 // field is "key", the
540 // operator is "In", and the values array contains only "value".
541 // The requirements are ANDed.
542 "matchLabels"?: {
543 [string]: string
544 }
545 }
546
547 // Namespaces is a list of namespaces names. Each name supports
548 // wildcard characters
549 // "*" (matches zero or many characters) and "?" (at least one
550 // character).
551 "namespaces"?: [...string]
552
553 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
554 // "DELETE"], which are used to match a specific action.
555 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
556
557 // Selector is a label selector. Label keys and values in
558 // `matchLabels` support the wildcard
559 // characters `*` (matches zero or many characters) and `?`
560 // (matches one character).
561 // Wildcards allows writing label selectors like
562 // ["storage.k8s.io/*": "*"]. Note that
563 // using ["*" : "*"] matches any key and value but does not match
564 // an empty label set.
565 "selector"?: {
566 // matchExpressions is a list of label selector requirements. The
567 // requirements are ANDed.
568 "matchExpressions"?: [...{
569 // key is the label key that the selector applies to.
570 "key"!: string
571
572 // operator represents a key's relationship to a set of values.
573 // Valid operators are In, NotIn, Exists and DoesNotExist.
574 "operator"!: string
575
576 // values is an array of string values. If the operator is In or
577 // NotIn,
578 // the values array must be non-empty. If the operator is Exists
579 // or DoesNotExist,
580 // the values array must be empty. This array is replaced during a
581 // strategic
582 // merge patch.
583 "values"?: [...string]
584 }]
585
586 // matchLabels is a map of {key,value} pairs. A single {key,value}
587 // in the matchLabels
588 // map is equivalent to an element of matchExpressions, whose key
589 // field is "key", the
590 // operator is "In", and the values array contains only "value".
591 // The requirements are ANDed.
592 "matchLabels"?: {
593 [string]: string
594 }
595 }
596 }
597
598 // Roles is the list of namespaced role names for the user.
599 "roles"?: [...string]
600
601 // Subjects is the list of subject names like users, user groups,
602 // and service accounts.
603 "subjects"?: [...{
604 // APIGroup holds the API group of the referenced subject.
605 // Defaults to "" for ServiceAccount subjects.
606 // Defaults to "rbac.authorization.k8s.io" for User and Group
607 // subjects.
608 "apiGroup"?: string
609
610 // Kind of object being referenced. Values defined by this API
611 // group are "User", "Group", and "ServiceAccount".
612 // If the Authorizer does not recognized the kind value, the
613 // Authorizer should report an error.
614 "kind"!: string
615
616 // Name of the object being referenced.
617 "name"!: string
618
619 // Namespace of the referenced object. If the object kind is
620 // non-namespace, such as "User" or "Group", and this value is
621 // not empty
622 // the Authorizer should report an error.
623 "namespace"?: string
624 }]
625 }]
626 }
627
628 // Generation is used to create new resources.
629 "generate"?: {
630 // APIVersion specifies resource apiVersion.
631 "apiVersion"?: string
632
633 // Clone specifies the source resource used to populate each
634 // generated resource.
635 // At most one of Data or Clone can be specified. If neither are
636 // provided, the generated
637 // resource will be created with default data only.
638 "clone"?: {
639 // Name specifies name of the resource.
640 "name"?: string
641
642 // Namespace specifies source resource namespace.
643 "namespace"?: string
644 }
645
646 // CloneList specifies the list of source resource used to
647 // populate each generated resource.
648 "cloneList"?: {
649 // Kinds is a list of resource kinds.
650 "kinds"?: [...string]
651
652 // Namespace specifies source resource namespace.
653 "namespace"?: string
654
655 // Selector is a label selector. Label keys and values in
656 // `matchLabels`.
657 // wildcard characters are not supported.
658 "selector"?: {
659 // matchExpressions is a list of label selector requirements. The
660 // requirements are ANDed.
661 "matchExpressions"?: [...{
662 // key is the label key that the selector applies to.
663 "key"!: string
664
665 // operator represents a key's relationship to a set of values.
666 // Valid operators are In, NotIn, Exists and DoesNotExist.
667 "operator"!: string
668
669 // values is an array of string values. If the operator is In or
670 // NotIn,
671 // the values array must be non-empty. If the operator is Exists
672 // or DoesNotExist,
673 // the values array must be empty. This array is replaced during a
674 // strategic
675 // merge patch.
676 "values"?: [...string]
677 }]
678
679 // matchLabels is a map of {key,value} pairs. A single {key,value}
680 // in the matchLabels
681 // map is equivalent to an element of matchExpressions, whose key
682 // field is "key", the
683 // operator is "In", and the values array contains only "value".
684 // The requirements are ANDed.
685 "matchLabels"?: {
686 [string]: string
687 }
688 }
689 }
690
691 // Data provides the resource declaration used to populate each
692 // generated resource.
693 // At most one of Data or Clone must be specified. If neither are
694 // provided, the generated
695 // resource will be created with default data only.
696 "data"?: null | bool | number | string | [...] | {
697 ...
698 }
699
700 // ForEach applies generate rules to a list of sub-elements by
701 // creating a context for each entry in the list and looping over
702 // it to apply the specified logic.
703 "foreach"?: [...{
704 // APIVersion specifies resource apiVersion.
705 "apiVersion"?: string
706
707 // Clone specifies the source resource used to populate each
708 // generated resource.
709 // At most one of Data or Clone can be specified. If neither are
710 // provided, the generated
711 // resource will be created with default data only.
712 "clone"?: {
713 // Name specifies name of the resource.
714 "name"?: string
715
716 // Namespace specifies source resource namespace.
717 "namespace"?: string
718 }
719
720 // CloneList specifies the list of source resource used to
721 // populate each generated resource.
722 "cloneList"?: {
723 // Kinds is a list of resource kinds.
724 "kinds"?: [...string]
725
726 // Namespace specifies source resource namespace.
727 "namespace"?: string
728
729 // Selector is a label selector. Label keys and values in
730 // `matchLabels`.
731 // wildcard characters are not supported.
732 "selector"?: {
733 // matchExpressions is a list of label selector requirements. The
734 // requirements are ANDed.
735 "matchExpressions"?: [...{
736 // key is the label key that the selector applies to.
737 "key"!: string
738
739 // operator represents a key's relationship to a set of values.
740 // Valid operators are In, NotIn, Exists and DoesNotExist.
741 "operator"!: string
742
743 // values is an array of string values. If the operator is In or
744 // NotIn,
745 // the values array must be non-empty. If the operator is Exists
746 // or DoesNotExist,
747 // the values array must be empty. This array is replaced during a
748 // strategic
749 // merge patch.
750 "values"?: [...string]
751 }]
752
753 // matchLabels is a map of {key,value} pairs. A single {key,value}
754 // in the matchLabels
755 // map is equivalent to an element of matchExpressions, whose key
756 // field is "key", the
757 // operator is "In", and the values array contains only "value".
758 // The requirements are ANDed.
759 "matchLabels"?: {
760 [string]: string
761 }
762 }
763 }
764
765 // Context defines variables and data sources that can be used
766 // during rule execution.
767 "context"?: [...matchN(1, [{
768 "configMap"!: _
769 }, {
770 "apiCall"!: _
771 }, {
772 "imageRegistry"!: _
773 }, {
774 "variable"!: _
775 }, {
776 "globalReference"!: _
777 }]) & {
778 // APICall is an HTTP request to the Kubernetes API server, or
779 // other JSON web service.
780 // The data returned is stored in the context with the name for
781 // the context entry.
782 "apiCall"?: {
783 // The data object specifies the POST data sent to the server.
784 // Only applicable when the method field is set to POST.
785 "data"?: [...{
786 // Key is a unique identifier for the data value
787 "key"!: string
788
789 // Value is the data value
790 "value"!: null | bool | number | string | [...] | {
791 ...
792 }
793 }]
794
795 // Default is an optional arbitrary JSON object that the context
796 // value is set to, if the apiCall returns error.
797 "default"?: null | bool | number | string | [...] | {
798 ...
799 }
800
801 // JMESPath is an optional JSON Match Expression that can be used
802 // to
803 // transform the JSON response returned from the server. For
804 // example
805 // a JMESPath of "items | length(@)" applied to the API server
806 // response
807 // for the URLPath "/apis/apps/v1/deployments" will return the
808 // total count
809 // of deployments across all namespaces.
810 "jmesPath"?: string
811
812 // Method is the HTTP request type (GET or POST). Defaults to GET.
813 "method"?: "GET" | "POST"
814
815 // Service is an API call to a JSON web service.
816 // This is used for non-Kubernetes API server calls.
817 // It's mutually exclusive with the URLPath field.
818 "service"?: {
819 // CABundle is a PEM encoded CA bundle which will be used to
820 // validate
821 // the server certificate.
822 "caBundle"?: string
823
824 // Headers is a list of optional HTTP headers to be included in
825 // the request.
826 "headers"?: [...{
827 // Key is the header key
828 "key"!: string
829
830 // Value is the header value
831 "value"!: string
832 }]
833
834 // URL is the JSON web service URL. A typical form is
835 // `https://{service}.{namespace}:{port}/{path}`.
836 "url"!: string
837 }
838
839 // URLPath is the URL path to be used in the HTTP GET or POST
840 // request to the
841 // Kubernetes API server (e.g. "/api/v1/namespaces" or
842 // "/apis/apps/v1/deployments").
843 // The format required is the same format used by the `kubectl get
844 // --raw` command.
845 // See
846 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
847 // for details.
848 // It's mutually exclusive with the Service field.
849 "urlPath"?: string
850 }
851
852 // ConfigMap is the ConfigMap reference.
853 "configMap"?: {
854 // Name is the ConfigMap name.
855 "name"!: string
856
857 // Namespace is the ConfigMap namespace.
858 "namespace"?: string
859 }
860
861 // GlobalContextEntryReference is a reference to a cached global
862 // context entry.
863 "globalReference"?: {
864 // JMESPath is an optional JSON Match Expression that can be used
865 // to
866 // transform the JSON response returned from the server. For
867 // example
868 // a JMESPath of "items | length(@)" applied to the API server
869 // response
870 // for the URLPath "/apis/apps/v1/deployments" will return the
871 // total count
872 // of deployments across all namespaces.
873 "jmesPath"?: string
874
875 // Name of the global context entry
876 "name"!: string
877 }
878
879 // ImageRegistry defines requests to an OCI/Docker V2 registry to
880 // fetch image
881 // details.
882 "imageRegistry"?: {
883 // ImageRegistryCredentials provides credentials that will be used
884 // for authentication with registry
885 "imageRegistryCredentials"?: {
886 // AllowInsecureRegistry allows insecure access to a registry.
887 "allowInsecureRegistry"?: bool
888
889 // Providers specifies a list of OCI Registry names, whose
890 // authentication providers are provided.
891 // It can be of one of these values:
892 // default,google,azure,amazon,github.
893 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
894
895 // Secrets specifies a list of secrets that are provided for
896 // credentials.
897 // Secrets must live in the Kyverno namespace.
898 "secrets"?: [...string]
899 }
900
901 // JMESPath is an optional JSON Match Expression that can be used
902 // to
903 // transform the ImageData struct returned as a result of
904 // processing
905 // the image reference.
906 "jmesPath"?: string
907
908 // Reference is image reference to a container image in the
909 // registry.
910 // Example: ghcr.io/kyverno/kyverno:latest
911 "reference"!: string
912 }
913
914 // Name is the variable name.
915 "name"!: string
916
917 // Variable defines an arbitrary JMESPath context variable that
918 // can be defined inline.
919 "variable"?: {
920 // Default is an optional arbitrary JSON object that the variable
921 // may take if the JMESPath
922 // expression evaluates to nil
923 "default"?: null | bool | number | string | [...] | {
924 ...
925 }
926
927 // JMESPath is an optional JMESPath Expression that can be used to
928 // transform the variable.
929 "jmesPath"?: string
930
931 // Value is any arbitrary JSON object representable in YAML or
932 // JSON form.
933 "value"?: null | bool | number | string | [...] | {
934 ...
935 }
936 }
937 }]
938
939 // Data provides the resource declaration used to populate each
940 // generated resource.
941 // At most one of Data or Clone must be specified. If neither are
942 // provided, the generated
943 // resource will be created with default data only.
944 "data"?: null | bool | number | string | [...] | {
945 ...
946 }
947
948 // Kind specifies resource kind.
949 "kind"?: string
950
951 // List specifies a JMESPath expression that results in one or
952 // more elements
953 // to which the validation logic is applied.
954 "list"?: string
955
956 // Name specifies the resource name.
957 "name"?: string
958
959 // Namespace specifies resource namespace.
960 "namespace"?: string
961
962 // AnyAllConditions are used to determine if a policy rule should
963 // be applied by evaluating a
964 // set of conditions. The declaration can contain nested `any` or
965 // `all` statements.
966 // See: https://kyverno.io/docs/writing-policies/preconditions/
967 "preconditions"?: {
968 // AllConditions enable variable-based conditional rule execution.
969 // This is useful for
970 // finer control of when an rule is applied. A condition can
971 // reference object data
972 // using JMESPath notation.
973 // Here, all of the conditions need to pass
974 "all"?: [...{
975 // Key is the context entry (using JMESPath) for conditional rule
976 // evaluation.
977 "key"?: null | bool | number | string | [...] | {
978 ...
979 }
980
981 // Message is an optional display message
982 "message"?: string
983
984 // Operator is the conditional operation to perform. Valid
985 // operators are:
986 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
987 // GreaterThanOrEquals,
988 // GreaterThan, LessThanOrEquals, LessThan,
989 // DurationGreaterThanOrEquals, DurationGreaterThan,
990 // DurationLessThanOrEquals, DurationLessThan
991 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
992
993 // Value is the conditional value, or set of values. The values
994 // can be fixed set
995 // or can be variables declared using JMESPath.
996 "value"?: null | bool | number | string | [...] | {
997 ...
998 }
999 }]
1000
1001 // AnyConditions enable variable-based conditional rule execution.
1002 // This is useful for
1003 // finer control of when an rule is applied. A condition can
1004 // reference object data
1005 // using JMESPath notation.
1006 // Here, at least one of the conditions need to pass
1007 "any"?: [...{
1008 // Key is the context entry (using JMESPath) for conditional rule
1009 // evaluation.
1010 "key"?: null | bool | number | string | [...] | {
1011 ...
1012 }
1013
1014 // Message is an optional display message
1015 "message"?: string
1016
1017 // Operator is the conditional operation to perform. Valid
1018 // operators are:
1019 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1020 // GreaterThanOrEquals,
1021 // GreaterThan, LessThanOrEquals, LessThan,
1022 // DurationGreaterThanOrEquals, DurationGreaterThan,
1023 // DurationLessThanOrEquals, DurationLessThan
1024 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1025
1026 // Value is the conditional value, or set of values. The values
1027 // can be fixed set
1028 // or can be variables declared using JMESPath.
1029 "value"?: null | bool | number | string | [...] | {
1030 ...
1031 }
1032 }]
1033 ...
1034 }
1035
1036 // UID specifies the resource uid.
1037 "uid"?: string
1038 }]
1039
1040 // GenerateExisting controls whether to trigger the rule in
1041 // existing resources
1042 // If is set to "true" the rule will be triggered and applied to
1043 // existing matched resources.
1044 "generateExisting"?: bool
1045
1046 // Kind specifies resource kind.
1047 "kind"?: string
1048
1049 // Name specifies the resource name.
1050 "name"?: string
1051
1052 // Namespace specifies resource namespace.
1053 "namespace"?: string
1054
1055 // OrphanDownstreamOnPolicyDelete controls whether generated
1056 // resources should be deleted when the rule that generated
1057 // them is deleted with synchronization enabled. This option is
1058 // only applicable to generate rules of the data type.
1059 // See
1060 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
1061 // Defaults to "false" if not specified.
1062 "orphanDownstreamOnPolicyDelete"?: bool
1063
1064 // Synchronize controls if generated resources should be kept
1065 // in-sync with their source resource.
1066 // If Synchronize is set to "true" changes to generated resources
1067 // will be overwritten with resource
1068 // data from Data or the resource specified in the Clone
1069 // declaration.
1070 // Optional. Defaults to "false" if not specified.
1071 "synchronize"?: bool
1072
1073 // UID specifies the resource uid.
1074 "uid"?: string
1075 }
1076
1077 // ImageExtractors defines a mapping from kinds to
1078 // ImageExtractorConfigs.
1079 // This config is only valid for verifyImages rules.
1080 "imageExtractors"?: {
1081 [string]: [...{
1082 // JMESPath is an optional JMESPath expression to apply to the
1083 // image value.
1084 // This is useful when the extracted image begins with a prefix
1085 // like 'docker://'.
1086 // The 'trim_prefix' function may be used to trim the prefix:
1087 // trim_prefix(@, 'docker://').
1088 // Note - Image digest mutation may not be used when applying a
1089 // JMESPAth to an image.
1090 "jmesPath"?: string
1091
1092 // Key is an optional name of the field within 'path' that will be
1093 // used to uniquely identify an image.
1094 // Note - this field MUST be unique.
1095 "key"?: string
1096
1097 // Name is the entry the image will be available under
1098 // 'images.<name>' in the context.
1099 // If this field is not defined, image entries will appear under
1100 // 'images.custom'.
1101 "name"?: string
1102
1103 // Path is the path to the object containing the image field in a
1104 // custom resource.
1105 // It should be slash-separated. Each slash-separated key must be
1106 // a valid YAML key or a wildcard '*'.
1107 // Wildcard keys are expanded in case of arrays or objects.
1108 "path"!: string
1109
1110 // Value is an optional name of the field within 'path' that
1111 // points to the image URI.
1112 // This is useful when a custom 'key' is also defined.
1113 "value"?: string
1114 }]
1115 }
1116
1117 // MatchResources defines when this policy rule should be applied.
1118 // The match
1119 // criteria can include resource information (e.g. kind, name,
1120 // namespace, labels)
1121 // and admission review request information like the user name or
1122 // role.
1123 // At least one kind is required.
1124 "match"!: matchN(0, [null | bool | number | string | [...] | {
1125 "any"!: _
1126 "all"!: _
1127 }]) & {
1128 // All allows specifying resources which will be ANDed
1129 "all"?: [...{
1130 // ClusterRoles is the list of cluster-wide role names for the
1131 // user.
1132 "clusterRoles"?: [...string]
1133
1134 // ResourceDescription contains information about the resource
1135 // being created or modified.
1136 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1137 "name"!: _
1138 "names"!: _
1139 }]) & {
1140 // Annotations is a map of annotations (key-value pairs of type
1141 // string). Annotation keys
1142 // and values support the wildcard characters "*" (matches zero or
1143 // many characters) and
1144 // "?" (matches at least one character).
1145 "annotations"?: [string]: string
1146
1147 // Kinds is a list of resource kinds.
1148 "kinds"?: [...string]
1149
1150 // Name is the name of the resource. The name supports wildcard
1151 // characters
1152 // "*" (matches zero or many characters) and "?" (at least one
1153 // character).
1154 // NOTE: "Name" is being deprecated in favor of "Names".
1155 "name"?: string
1156
1157 // Names are the names of the resources. Each name supports
1158 // wildcard characters
1159 // "*" (matches zero or many characters) and "?" (at least one
1160 // character).
1161 "names"?: [...string]
1162
1163 // NamespaceSelector is a label selector for the resource
1164 // namespace. Label keys and values
1165 // in `matchLabels` support the wildcard characters `*` (matches
1166 // zero or many characters)
1167 // and `?` (matches one character).Wildcards allows writing label
1168 // selectors like
1169 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1170 // any key and value but
1171 // does not match an empty label set.
1172 "namespaceSelector"?: {
1173 // matchExpressions is a list of label selector requirements. The
1174 // requirements are ANDed.
1175 "matchExpressions"?: [...{
1176 // key is the label key that the selector applies to.
1177 "key"!: string
1178
1179 // operator represents a key's relationship to a set of values.
1180 // Valid operators are In, NotIn, Exists and DoesNotExist.
1181 "operator"!: string
1182
1183 // values is an array of string values. If the operator is In or
1184 // NotIn,
1185 // the values array must be non-empty. If the operator is Exists
1186 // or DoesNotExist,
1187 // the values array must be empty. This array is replaced during a
1188 // strategic
1189 // merge patch.
1190 "values"?: [...string]
1191 }]
1192
1193 // matchLabels is a map of {key,value} pairs. A single {key,value}
1194 // in the matchLabels
1195 // map is equivalent to an element of matchExpressions, whose key
1196 // field is "key", the
1197 // operator is "In", and the values array contains only "value".
1198 // The requirements are ANDed.
1199 "matchLabels"?: {
1200 [string]: string
1201 }
1202 }
1203
1204 // Namespaces is a list of namespaces names. Each name supports
1205 // wildcard characters
1206 // "*" (matches zero or many characters) and "?" (at least one
1207 // character).
1208 "namespaces"?: [...string]
1209
1210 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1211 // "DELETE"], which are used to match a specific action.
1212 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1213
1214 // Selector is a label selector. Label keys and values in
1215 // `matchLabels` support the wildcard
1216 // characters `*` (matches zero or many characters) and `?`
1217 // (matches one character).
1218 // Wildcards allows writing label selectors like
1219 // ["storage.k8s.io/*": "*"]. Note that
1220 // using ["*" : "*"] matches any key and value but does not match
1221 // an empty label set.
1222 "selector"?: {
1223 // matchExpressions is a list of label selector requirements. The
1224 // requirements are ANDed.
1225 "matchExpressions"?: [...{
1226 // key is the label key that the selector applies to.
1227 "key"!: string
1228
1229 // operator represents a key's relationship to a set of values.
1230 // Valid operators are In, NotIn, Exists and DoesNotExist.
1231 "operator"!: string
1232
1233 // values is an array of string values. If the operator is In or
1234 // NotIn,
1235 // the values array must be non-empty. If the operator is Exists
1236 // or DoesNotExist,
1237 // the values array must be empty. This array is replaced during a
1238 // strategic
1239 // merge patch.
1240 "values"?: [...string]
1241 }]
1242
1243 // matchLabels is a map of {key,value} pairs. A single {key,value}
1244 // in the matchLabels
1245 // map is equivalent to an element of matchExpressions, whose key
1246 // field is "key", the
1247 // operator is "In", and the values array contains only "value".
1248 // The requirements are ANDed.
1249 "matchLabels"?: {
1250 [string]: string
1251 }
1252 }
1253 }
1254
1255 // Roles is the list of namespaced role names for the user.
1256 "roles"?: [...string]
1257
1258 // Subjects is the list of subject names like users, user groups,
1259 // and service accounts.
1260 "subjects"?: [...{
1261 // APIGroup holds the API group of the referenced subject.
1262 // Defaults to "" for ServiceAccount subjects.
1263 // Defaults to "rbac.authorization.k8s.io" for User and Group
1264 // subjects.
1265 "apiGroup"?: string
1266
1267 // Kind of object being referenced. Values defined by this API
1268 // group are "User", "Group", and "ServiceAccount".
1269 // If the Authorizer does not recognized the kind value, the
1270 // Authorizer should report an error.
1271 "kind"!: string
1272
1273 // Name of the object being referenced.
1274 "name"!: string
1275
1276 // Namespace of the referenced object. If the object kind is
1277 // non-namespace, such as "User" or "Group", and this value is
1278 // not empty
1279 // the Authorizer should report an error.
1280 "namespace"?: string
1281 }]
1282 }]
1283
1284 // Any allows specifying resources which will be ORed
1285 "any"?: [...{
1286 // ClusterRoles is the list of cluster-wide role names for the
1287 // user.
1288 "clusterRoles"?: [...string]
1289
1290 // ResourceDescription contains information about the resource
1291 // being created or modified.
1292 "resources"?: matchN(0, [null | bool | number | string | [...] | {
1293 "name"!: _
1294 "names"!: _
1295 }]) & {
1296 // Annotations is a map of annotations (key-value pairs of type
1297 // string). Annotation keys
1298 // and values support the wildcard characters "*" (matches zero or
1299 // many characters) and
1300 // "?" (matches at least one character).
1301 "annotations"?: [string]: string
1302
1303 // Kinds is a list of resource kinds.
1304 "kinds"?: [...string]
1305
1306 // Name is the name of the resource. The name supports wildcard
1307 // characters
1308 // "*" (matches zero or many characters) and "?" (at least one
1309 // character).
1310 // NOTE: "Name" is being deprecated in favor of "Names".
1311 "name"?: string
1312
1313 // Names are the names of the resources. Each name supports
1314 // wildcard characters
1315 // "*" (matches zero or many characters) and "?" (at least one
1316 // character).
1317 "names"?: [...string]
1318
1319 // NamespaceSelector is a label selector for the resource
1320 // namespace. Label keys and values
1321 // in `matchLabels` support the wildcard characters `*` (matches
1322 // zero or many characters)
1323 // and `?` (matches one character).Wildcards allows writing label
1324 // selectors like
1325 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
1326 // any key and value but
1327 // does not match an empty label set.
1328 "namespaceSelector"?: {
1329 // matchExpressions is a list of label selector requirements. The
1330 // requirements are ANDed.
1331 "matchExpressions"?: [...{
1332 // key is the label key that the selector applies to.
1333 "key"!: string
1334
1335 // operator represents a key's relationship to a set of values.
1336 // Valid operators are In, NotIn, Exists and DoesNotExist.
1337 "operator"!: string
1338
1339 // values is an array of string values. If the operator is In or
1340 // NotIn,
1341 // the values array must be non-empty. If the operator is Exists
1342 // or DoesNotExist,
1343 // the values array must be empty. This array is replaced during a
1344 // strategic
1345 // merge patch.
1346 "values"?: [...string]
1347 }]
1348
1349 // matchLabels is a map of {key,value} pairs. A single {key,value}
1350 // in the matchLabels
1351 // map is equivalent to an element of matchExpressions, whose key
1352 // field is "key", the
1353 // operator is "In", and the values array contains only "value".
1354 // The requirements are ANDed.
1355 "matchLabels"?: {
1356 [string]: string
1357 }
1358 }
1359
1360 // Namespaces is a list of namespaces names. Each name supports
1361 // wildcard characters
1362 // "*" (matches zero or many characters) and "?" (at least one
1363 // character).
1364 "namespaces"?: [...string]
1365
1366 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
1367 // "DELETE"], which are used to match a specific action.
1368 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
1369
1370 // Selector is a label selector. Label keys and values in
1371 // `matchLabels` support the wildcard
1372 // characters `*` (matches zero or many characters) and `?`
1373 // (matches one character).
1374 // Wildcards allows writing label selectors like
1375 // ["storage.k8s.io/*": "*"]. Note that
1376 // using ["*" : "*"] matches any key and value but does not match
1377 // an empty label set.
1378 "selector"?: {
1379 // matchExpressions is a list of label selector requirements. The
1380 // requirements are ANDed.
1381 "matchExpressions"?: [...{
1382 // key is the label key that the selector applies to.
1383 "key"!: string
1384
1385 // operator represents a key's relationship to a set of values.
1386 // Valid operators are In, NotIn, Exists and DoesNotExist.
1387 "operator"!: string
1388
1389 // values is an array of string values. If the operator is In or
1390 // NotIn,
1391 // the values array must be non-empty. If the operator is Exists
1392 // or DoesNotExist,
1393 // the values array must be empty. This array is replaced during a
1394 // strategic
1395 // merge patch.
1396 "values"?: [...string]
1397 }]
1398
1399 // matchLabels is a map of {key,value} pairs. A single {key,value}
1400 // in the matchLabels
1401 // map is equivalent to an element of matchExpressions, whose key
1402 // field is "key", the
1403 // operator is "In", and the values array contains only "value".
1404 // The requirements are ANDed.
1405 "matchLabels"?: {
1406 [string]: string
1407 }
1408 }
1409 }
1410
1411 // Roles is the list of namespaced role names for the user.
1412 "roles"?: [...string]
1413
1414 // Subjects is the list of subject names like users, user groups,
1415 // and service accounts.
1416 "subjects"?: [...{
1417 // APIGroup holds the API group of the referenced subject.
1418 // Defaults to "" for ServiceAccount subjects.
1419 // Defaults to "rbac.authorization.k8s.io" for User and Group
1420 // subjects.
1421 "apiGroup"?: string
1422
1423 // Kind of object being referenced. Values defined by this API
1424 // group are "User", "Group", and "ServiceAccount".
1425 // If the Authorizer does not recognized the kind value, the
1426 // Authorizer should report an error.
1427 "kind"!: string
1428
1429 // Name of the object being referenced.
1430 "name"!: string
1431
1432 // Namespace of the referenced object. If the object kind is
1433 // non-namespace, such as "User" or "Group", and this value is
1434 // not empty
1435 // the Authorizer should report an error.
1436 "namespace"?: string
1437 }]
1438 }]
1439 }
1440
1441 // Mutation is used to modify matching resources.
1442 "mutate"?: {
1443 // ForEach applies mutation rules to a list of sub-elements by
1444 // creating a context for each entry in the list and looping over
1445 // it to apply the specified logic.
1446 "foreach"?: [...{
1447 // Context defines variables and data sources that can be used
1448 // during rule execution.
1449 "context"?: [...matchN(1, [{
1450 "configMap"!: _
1451 }, {
1452 "apiCall"!: _
1453 }, {
1454 "imageRegistry"!: _
1455 }, {
1456 "variable"!: _
1457 }, {
1458 "globalReference"!: _
1459 }]) & {
1460 // APICall is an HTTP request to the Kubernetes API server, or
1461 // other JSON web service.
1462 // The data returned is stored in the context with the name for
1463 // the context entry.
1464 "apiCall"?: {
1465 // The data object specifies the POST data sent to the server.
1466 // Only applicable when the method field is set to POST.
1467 "data"?: [...{
1468 // Key is a unique identifier for the data value
1469 "key"!: string
1470
1471 // Value is the data value
1472 "value"!: null | bool | number | string | [...] | {
1473 ...
1474 }
1475 }]
1476
1477 // Default is an optional arbitrary JSON object that the context
1478 // value is set to, if the apiCall returns error.
1479 "default"?: null | bool | number | string | [...] | {
1480 ...
1481 }
1482
1483 // JMESPath is an optional JSON Match Expression that can be used
1484 // to
1485 // transform the JSON response returned from the server. For
1486 // example
1487 // a JMESPath of "items | length(@)" applied to the API server
1488 // response
1489 // for the URLPath "/apis/apps/v1/deployments" will return the
1490 // total count
1491 // of deployments across all namespaces.
1492 "jmesPath"?: string
1493
1494 // Method is the HTTP request type (GET or POST). Defaults to GET.
1495 "method"?: "GET" | "POST"
1496
1497 // Service is an API call to a JSON web service.
1498 // This is used for non-Kubernetes API server calls.
1499 // It's mutually exclusive with the URLPath field.
1500 "service"?: {
1501 // CABundle is a PEM encoded CA bundle which will be used to
1502 // validate
1503 // the server certificate.
1504 "caBundle"?: string
1505
1506 // Headers is a list of optional HTTP headers to be included in
1507 // the request.
1508 "headers"?: [...{
1509 // Key is the header key
1510 "key"!: string
1511
1512 // Value is the header value
1513 "value"!: string
1514 }]
1515
1516 // URL is the JSON web service URL. A typical form is
1517 // `https://{service}.{namespace}:{port}/{path}`.
1518 "url"!: string
1519 }
1520
1521 // URLPath is the URL path to be used in the HTTP GET or POST
1522 // request to the
1523 // Kubernetes API server (e.g. "/api/v1/namespaces" or
1524 // "/apis/apps/v1/deployments").
1525 // The format required is the same format used by the `kubectl get
1526 // --raw` command.
1527 // See
1528 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1529 // for details.
1530 // It's mutually exclusive with the Service field.
1531 "urlPath"?: string
1532 }
1533
1534 // ConfigMap is the ConfigMap reference.
1535 "configMap"?: {
1536 // Name is the ConfigMap name.
1537 "name"!: string
1538
1539 // Namespace is the ConfigMap namespace.
1540 "namespace"?: string
1541 }
1542
1543 // GlobalContextEntryReference is a reference to a cached global
1544 // context entry.
1545 "globalReference"?: {
1546 // JMESPath is an optional JSON Match Expression that can be used
1547 // to
1548 // transform the JSON response returned from the server. For
1549 // example
1550 // a JMESPath of "items | length(@)" applied to the API server
1551 // response
1552 // for the URLPath "/apis/apps/v1/deployments" will return the
1553 // total count
1554 // of deployments across all namespaces.
1555 "jmesPath"?: string
1556
1557 // Name of the global context entry
1558 "name"!: string
1559 }
1560
1561 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1562 // fetch image
1563 // details.
1564 "imageRegistry"?: {
1565 // ImageRegistryCredentials provides credentials that will be used
1566 // for authentication with registry
1567 "imageRegistryCredentials"?: {
1568 // AllowInsecureRegistry allows insecure access to a registry.
1569 "allowInsecureRegistry"?: bool
1570
1571 // Providers specifies a list of OCI Registry names, whose
1572 // authentication providers are provided.
1573 // It can be of one of these values:
1574 // default,google,azure,amazon,github.
1575 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1576
1577 // Secrets specifies a list of secrets that are provided for
1578 // credentials.
1579 // Secrets must live in the Kyverno namespace.
1580 "secrets"?: [...string]
1581 }
1582
1583 // JMESPath is an optional JSON Match Expression that can be used
1584 // to
1585 // transform the ImageData struct returned as a result of
1586 // processing
1587 // the image reference.
1588 "jmesPath"?: string
1589
1590 // Reference is image reference to a container image in the
1591 // registry.
1592 // Example: ghcr.io/kyverno/kyverno:latest
1593 "reference"!: string
1594 }
1595
1596 // Name is the variable name.
1597 "name"!: string
1598
1599 // Variable defines an arbitrary JMESPath context variable that
1600 // can be defined inline.
1601 "variable"?: {
1602 // Default is an optional arbitrary JSON object that the variable
1603 // may take if the JMESPath
1604 // expression evaluates to nil
1605 "default"?: null | bool | number | string | [...] | {
1606 ...
1607 }
1608
1609 // JMESPath is an optional JMESPath Expression that can be used to
1610 // transform the variable.
1611 "jmesPath"?: string
1612
1613 // Value is any arbitrary JSON object representable in YAML or
1614 // JSON form.
1615 "value"?: null | bool | number | string | [...] | {
1616 ...
1617 }
1618 }
1619 }]
1620
1621 // Foreach declares a nested foreach iterator
1622 "foreach"?: null | bool | number | string | [...] | {
1623 ...
1624 }
1625
1626 // List specifies a JMESPath expression that results in one or
1627 // more elements
1628 // to which the validation logic is applied.
1629 "list"?: string
1630
1631 // Order defines the iteration order on the list.
1632 // Can be Ascending to iterate from first to last element or
1633 // Descending to iterate in from last to first element.
1634 "order"?: "Ascending" | "Descending"
1635
1636 // PatchStrategicMerge is a strategic merge patch used to modify
1637 // resources.
1638 // See
1639 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1640 // and
1641 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1642 "patchStrategicMerge"?: null | bool | number | string | [...] | {
1643 ...
1644 }
1645
1646 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1647 // used to modify resources.
1648 // See https://tools.ietf.org/html/rfc6902 and
1649 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1650 "patchesJson6902"?: string
1651
1652 // AnyAllConditions are used to determine if a policy rule should
1653 // be applied by evaluating a
1654 // set of conditions. The declaration can contain nested `any` or
1655 // `all` statements.
1656 // See: https://kyverno.io/docs/writing-policies/preconditions/
1657 "preconditions"?: {
1658 // AllConditions enable variable-based conditional rule execution.
1659 // This is useful for
1660 // finer control of when an rule is applied. A condition can
1661 // reference object data
1662 // using JMESPath notation.
1663 // Here, all of the conditions need to pass
1664 "all"?: [...{
1665 // Key is the context entry (using JMESPath) for conditional rule
1666 // evaluation.
1667 "key"?: null | bool | number | string | [...] | {
1668 ...
1669 }
1670
1671 // Message is an optional display message
1672 "message"?: string
1673
1674 // Operator is the conditional operation to perform. Valid
1675 // operators are:
1676 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1677 // GreaterThanOrEquals,
1678 // GreaterThan, LessThanOrEquals, LessThan,
1679 // DurationGreaterThanOrEquals, DurationGreaterThan,
1680 // DurationLessThanOrEquals, DurationLessThan
1681 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1682
1683 // Value is the conditional value, or set of values. The values
1684 // can be fixed set
1685 // or can be variables declared using JMESPath.
1686 "value"?: null | bool | number | string | [...] | {
1687 ...
1688 }
1689 }]
1690
1691 // AnyConditions enable variable-based conditional rule execution.
1692 // This is useful for
1693 // finer control of when an rule is applied. A condition can
1694 // reference object data
1695 // using JMESPath notation.
1696 // Here, at least one of the conditions need to pass
1697 "any"?: [...{
1698 // Key is the context entry (using JMESPath) for conditional rule
1699 // evaluation.
1700 "key"?: null | bool | number | string | [...] | {
1701 ...
1702 }
1703
1704 // Message is an optional display message
1705 "message"?: string
1706
1707 // Operator is the conditional operation to perform. Valid
1708 // operators are:
1709 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
1710 // GreaterThanOrEquals,
1711 // GreaterThan, LessThanOrEquals, LessThan,
1712 // DurationGreaterThanOrEquals, DurationGreaterThan,
1713 // DurationLessThanOrEquals, DurationLessThan
1714 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
1715
1716 // Value is the conditional value, or set of values. The values
1717 // can be fixed set
1718 // or can be variables declared using JMESPath.
1719 "value"?: null | bool | number | string | [...] | {
1720 ...
1721 }
1722 }]
1723 ...
1724 }
1725 }]
1726
1727 // MutateExistingOnPolicyUpdate controls if the mutateExisting
1728 // rule will be applied on policy events.
1729 "mutateExistingOnPolicyUpdate"?: bool
1730
1731 // PatchStrategicMerge is a strategic merge patch used to modify
1732 // resources.
1733 // See
1734 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
1735 // and
1736 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
1737 "patchStrategicMerge"?: null | bool | number | string | [...] | {
1738 ...
1739 }
1740
1741 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
1742 // used to modify resources.
1743 // See https://tools.ietf.org/html/rfc6902 and
1744 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
1745 "patchesJson6902"?: string
1746
1747 // Targets defines the target resources to be mutated.
1748 "targets"?: [...{
1749 // APIVersion specifies resource apiVersion.
1750 "apiVersion"?: string
1751
1752 // Context defines variables and data sources that can be used
1753 // during rule execution.
1754 "context"?: [...matchN(1, [{
1755 "configMap"!: _
1756 }, {
1757 "apiCall"!: _
1758 }, {
1759 "imageRegistry"!: _
1760 }, {
1761 "variable"!: _
1762 }, {
1763 "globalReference"!: _
1764 }]) & {
1765 // APICall is an HTTP request to the Kubernetes API server, or
1766 // other JSON web service.
1767 // The data returned is stored in the context with the name for
1768 // the context entry.
1769 "apiCall"?: {
1770 // The data object specifies the POST data sent to the server.
1771 // Only applicable when the method field is set to POST.
1772 "data"?: [...{
1773 // Key is a unique identifier for the data value
1774 "key"!: string
1775
1776 // Value is the data value
1777 "value"!: null | bool | number | string | [...] | {
1778 ...
1779 }
1780 }]
1781
1782 // Default is an optional arbitrary JSON object that the context
1783 // value is set to, if the apiCall returns error.
1784 "default"?: null | bool | number | string | [...] | {
1785 ...
1786 }
1787
1788 // JMESPath is an optional JSON Match Expression that can be used
1789 // to
1790 // transform the JSON response returned from the server. For
1791 // example
1792 // a JMESPath of "items | length(@)" applied to the API server
1793 // response
1794 // for the URLPath "/apis/apps/v1/deployments" will return the
1795 // total count
1796 // of deployments across all namespaces.
1797 "jmesPath"?: string
1798
1799 // Method is the HTTP request type (GET or POST). Defaults to GET.
1800 "method"?: "GET" | "POST"
1801
1802 // Service is an API call to a JSON web service.
1803 // This is used for non-Kubernetes API server calls.
1804 // It's mutually exclusive with the URLPath field.
1805 "service"?: {
1806 // CABundle is a PEM encoded CA bundle which will be used to
1807 // validate
1808 // the server certificate.
1809 "caBundle"?: string
1810
1811 // Headers is a list of optional HTTP headers to be included in
1812 // the request.
1813 "headers"?: [...{
1814 // Key is the header key
1815 "key"!: string
1816
1817 // Value is the header value
1818 "value"!: string
1819 }]
1820
1821 // URL is the JSON web service URL. A typical form is
1822 // `https://{service}.{namespace}:{port}/{path}`.
1823 "url"!: string
1824 }
1825
1826 // URLPath is the URL path to be used in the HTTP GET or POST
1827 // request to the
1828 // Kubernetes API server (e.g. "/api/v1/namespaces" or
1829 // "/apis/apps/v1/deployments").
1830 // The format required is the same format used by the `kubectl get
1831 // --raw` command.
1832 // See
1833 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
1834 // for details.
1835 // It's mutually exclusive with the Service field.
1836 "urlPath"?: string
1837 }
1838
1839 // ConfigMap is the ConfigMap reference.
1840 "configMap"?: {
1841 // Name is the ConfigMap name.
1842 "name"!: string
1843
1844 // Namespace is the ConfigMap namespace.
1845 "namespace"?: string
1846 }
1847
1848 // GlobalContextEntryReference is a reference to a cached global
1849 // context entry.
1850 "globalReference"?: {
1851 // JMESPath is an optional JSON Match Expression that can be used
1852 // to
1853 // transform the JSON response returned from the server. For
1854 // example
1855 // a JMESPath of "items | length(@)" applied to the API server
1856 // response
1857 // for the URLPath "/apis/apps/v1/deployments" will return the
1858 // total count
1859 // of deployments across all namespaces.
1860 "jmesPath"?: string
1861
1862 // Name of the global context entry
1863 "name"!: string
1864 }
1865
1866 // ImageRegistry defines requests to an OCI/Docker V2 registry to
1867 // fetch image
1868 // details.
1869 "imageRegistry"?: {
1870 // ImageRegistryCredentials provides credentials that will be used
1871 // for authentication with registry
1872 "imageRegistryCredentials"?: {
1873 // AllowInsecureRegistry allows insecure access to a registry.
1874 "allowInsecureRegistry"?: bool
1875
1876 // Providers specifies a list of OCI Registry names, whose
1877 // authentication providers are provided.
1878 // It can be of one of these values:
1879 // default,google,azure,amazon,github.
1880 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
1881
1882 // Secrets specifies a list of secrets that are provided for
1883 // credentials.
1884 // Secrets must live in the Kyverno namespace.
1885 "secrets"?: [...string]
1886 }
1887
1888 // JMESPath is an optional JSON Match Expression that can be used
1889 // to
1890 // transform the ImageData struct returned as a result of
1891 // processing
1892 // the image reference.
1893 "jmesPath"?: string
1894
1895 // Reference is image reference to a container image in the
1896 // registry.
1897 // Example: ghcr.io/kyverno/kyverno:latest
1898 "reference"!: string
1899 }
1900
1901 // Name is the variable name.
1902 "name"!: string
1903
1904 // Variable defines an arbitrary JMESPath context variable that
1905 // can be defined inline.
1906 "variable"?: {
1907 // Default is an optional arbitrary JSON object that the variable
1908 // may take if the JMESPath
1909 // expression evaluates to nil
1910 "default"?: null | bool | number | string | [...] | {
1911 ...
1912 }
1913
1914 // JMESPath is an optional JMESPath Expression that can be used to
1915 // transform the variable.
1916 "jmesPath"?: string
1917
1918 // Value is any arbitrary JSON object representable in YAML or
1919 // JSON form.
1920 "value"?: null | bool | number | string | [...] | {
1921 ...
1922 }
1923 }
1924 }]
1925
1926 // Kind specifies resource kind.
1927 "kind"?: string
1928
1929 // Name specifies the resource name.
1930 "name"?: string
1931
1932 // Namespace specifies resource namespace.
1933 "namespace"?: string
1934
1935 // Preconditions are used to determine if a policy rule should be
1936 // applied by evaluating a
1937 // set of conditions. The declaration can contain nested `any` or
1938 // `all` statements. A direct list
1939 // of conditions (without `any` or `all` statements is supported
1940 // for backwards compatibility but
1941 // will be deprecated in the next major release.
1942 // See: https://kyverno.io/docs/writing-policies/preconditions/
1943 "preconditions"?: null | bool | number | string | [...] | {
1944 ...
1945 }
1946
1947 // Selector allows you to select target resources with their
1948 // labels.
1949 "selector"?: {
1950 // matchExpressions is a list of label selector requirements. The
1951 // requirements are ANDed.
1952 "matchExpressions"?: [...{
1953 // key is the label key that the selector applies to.
1954 "key"!: string
1955
1956 // operator represents a key's relationship to a set of values.
1957 // Valid operators are In, NotIn, Exists and DoesNotExist.
1958 "operator"!: string
1959
1960 // values is an array of string values. If the operator is In or
1961 // NotIn,
1962 // the values array must be non-empty. If the operator is Exists
1963 // or DoesNotExist,
1964 // the values array must be empty. This array is replaced during a
1965 // strategic
1966 // merge patch.
1967 "values"?: [...string]
1968 }]
1969
1970 // matchLabels is a map of {key,value} pairs. A single {key,value}
1971 // in the matchLabels
1972 // map is equivalent to an element of matchExpressions, whose key
1973 // field is "key", the
1974 // operator is "In", and the values array contains only "value".
1975 // The requirements are ANDed.
1976 "matchLabels"?: {
1977 [string]: string
1978 }
1979 }
1980
1981 // UID specifies the resource uid.
1982 "uid"?: string
1983 }]
1984 }
1985
1986 // Name is a label to identify the rule, It must be unique within
1987 // the policy.
1988 "name"!: strings.MaxRunes(
1989 63)
1990
1991 // Preconditions are used to determine if a policy rule should be
1992 // applied by evaluating a
1993 // set of conditions. The declaration can contain nested `any` or
1994 // `all` statements.
1995 // See: https://kyverno.io/docs/writing-policies/preconditions/
1996 "preconditions"?: {
1997 // AllConditions enable variable-based conditional rule execution.
1998 // This is useful for
1999 // finer control of when an rule is applied. A condition can
2000 // reference object data
2001 // using JMESPath notation.
2002 // Here, all of the conditions need to pass.
2003 "all"?: [...{
2004 // Key is the context entry (using JMESPath) for conditional rule
2005 // evaluation.
2006 "key"?: null | bool | number | string | [...] | {
2007 ...
2008 }
2009
2010 // Message is an optional display message
2011 "message"?: string
2012
2013 // Operator is the conditional operation to perform. Valid
2014 // operators are:
2015 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2016 // GreaterThanOrEquals,
2017 // GreaterThan, LessThanOrEquals, LessThan,
2018 // DurationGreaterThanOrEquals, DurationGreaterThan,
2019 // DurationLessThanOrEquals, DurationLessThan
2020 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2021
2022 // Value is the conditional value, or set of values. The values
2023 // can be fixed set
2024 // or can be variables declared using JMESPath.
2025 "value"?: null | bool | number | string | [...] | {
2026 ...
2027 }
2028 }]
2029
2030 // AnyConditions enable variable-based conditional rule execution.
2031 // This is useful for
2032 // finer control of when an rule is applied. A condition can
2033 // reference object data
2034 // using JMESPath notation.
2035 // Here, at least one of the conditions need to pass.
2036 "any"?: [...{
2037 // Key is the context entry (using JMESPath) for conditional rule
2038 // evaluation.
2039 "key"?: null | bool | number | string | [...] | {
2040 ...
2041 }
2042
2043 // Message is an optional display message
2044 "message"?: string
2045
2046 // Operator is the conditional operation to perform. Valid
2047 // operators are:
2048 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2049 // GreaterThanOrEquals,
2050 // GreaterThan, LessThanOrEquals, LessThan,
2051 // DurationGreaterThanOrEquals, DurationGreaterThan,
2052 // DurationLessThanOrEquals, DurationLessThan
2053 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2054
2055 // Value is the conditional value, or set of values. The values
2056 // can be fixed set
2057 // or can be variables declared using JMESPath.
2058 "value"?: null | bool | number | string | [...] | {
2059 ...
2060 }
2061 }]
2062 }
2063
2064 // SkipBackgroundRequests bypasses admission requests that are
2065 // sent by the background controller.
2066 // The default value is set to "true", it must be set to "false"
2067 // to apply
2068 // generate and mutateExisting rules to those requests.
2069 "skipBackgroundRequests"?: bool
2070
2071 // Validation is used to validate matching resources.
2072 "validate"?: {
2073 // AnyPattern specifies list of validation patterns. At least one
2074 // of the patterns
2075 // must be satisfied for the validation rule to succeed.
2076 "anyPattern"?: null | bool | number | string | [...] | {
2077 ...
2078 }
2079
2080 // Assert defines a kyverno-json assertion tree.
2081 "assert"?: {
2082 ...
2083 }
2084
2085 // CEL allows validation checks using the Common Expression
2086 // Language
2087 // (https://kubernetes.io/docs/reference/using-api/cel/).
2088 "cel"?: {
2089 // AuditAnnotations contains CEL expressions which are used to
2090 // produce audit annotations for the audit event of the API
2091 // request.
2092 "auditAnnotations"?: [...{
2093 // key specifies the audit annotation key. The audit annotation
2094 // keys of
2095 // a ValidatingAdmissionPolicy must be unique. The key must be a
2096 // qualified
2097 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
2098 // length.
2099 //
2100 // The key is combined with the resource name of the
2101 // ValidatingAdmissionPolicy to construct an audit annotation key:
2102 // "{ValidatingAdmissionPolicy name}/{key}".
2103 //
2104 // If an admission webhook uses the same resource name as this
2105 // ValidatingAdmissionPolicy
2106 // and the same audit annotation key, the annotation key will be
2107 // identical.
2108 // In this case, the first annotation written with the key will be
2109 // included
2110 // in the audit event and all subsequent annotations with the same
2111 // key
2112 // will be discarded.
2113 //
2114 // Required.
2115 "key"!: string
2116
2117 // valueExpression represents the expression which is evaluated by
2118 // CEL to
2119 // produce an audit annotation value. The expression must evaluate
2120 // to either
2121 // a string or null value. If the expression evaluates to a
2122 // string, the
2123 // audit annotation is included with the string value. If the
2124 // expression
2125 // evaluates to null or empty string the audit annotation will be
2126 // omitted.
2127 // The valueExpression may be no longer than 5kb in length.
2128 // If the result of the valueExpression is more than 10kb in
2129 // length, it
2130 // will be truncated to 10kb.
2131 //
2132 // If multiple ValidatingAdmissionPolicyBinding resources match an
2133 // API request, then the valueExpression will be evaluated for
2134 // each binding. All unique values produced by the
2135 // valueExpressions
2136 // will be joined together in a comma-separated list.
2137 //
2138 // Required.
2139 "valueExpression"!: string
2140 }]
2141
2142 // Expressions is a list of CELExpression types.
2143 "expressions"?: [...{
2144 // Expression represents the expression which will be evaluated by
2145 // CEL.
2146 // ref: https://github.com/google/cel-spec
2147 // CEL expressions have access to the contents of the API
2148 // request/response, organized into CEL variables as well as some
2149 // other useful variables:
2150 //
2151 // - 'object' - The object from the incoming request. The value is
2152 // null for DELETE requests.
2153 // - 'oldObject' - The existing object. The value is null for
2154 // CREATE requests.
2155 // - 'request' - Attributes of the API
2156 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
2157 // - 'params' - Parameter resource referred to by the policy
2158 // binding being evaluated. Only populated if the policy has a
2159 // ParamKind.
2160 // - 'namespaceObject' - The namespace object that the incoming
2161 // object belongs to. The value is null for cluster-scoped
2162 // resources.
2163 // - 'variables' - Map of composited variables, from its name to
2164 // its lazily evaluated value.
2165 // For example, a variable named 'foo' can be accessed as
2166 // 'variables.foo'.
2167 // - 'authorizer' - A CEL Authorizer. May be used to perform
2168 // authorization checks for the principal (user or service
2169 // account) of the request.
2170 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
2171 // - 'authorizer.requestResource' - A CEL ResourceCheck
2172 // constructed from the 'authorizer' and configured with the
2173 // request resource.
2174 //
2175 // The `apiVersion`, `kind`, `metadata.name` and
2176 // `metadata.generateName` are always accessible from the root of
2177 // the
2178 // object. No other metadata properties are accessible.
2179 //
2180 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
2181 // are accessible.
2182 // Accessible property names are escaped according to the
2183 // following rules when accessed in the expression:
2184 // - '__' escapes to '__underscores__'
2185 // - '.' escapes to '__dot__'
2186 // - '-' escapes to '__dash__'
2187 // - '/' escapes to '__slash__'
2188 // - Property names that exactly match a CEL RESERVED keyword
2189 // escape to '__{keyword}__'. The keywords are:
2190 // "true", "false", "null", "in", "as", "break", "const",
2191 // "continue", "else", "for", "function", "if",
2192 // "import", "let", "loop", "package", "namespace", "return".
2193 // Examples:
2194 // - Expression accessing a property named "namespace":
2195 // {"Expression": "object.__namespace__ > 0"}
2196 // - Expression accessing a property named "x-prop":
2197 // {"Expression": "object.x__dash__prop > 0"}
2198 // - Expression accessing a property named "redact__d":
2199 // {"Expression": "object.redact__underscores__d > 0"}
2200 //
2201 // Equality on arrays with list type of 'set' or 'map' ignores
2202 // element order, i.e. [1, 2] == [2, 1].
2203 // Concatenation on arrays with x-kubernetes-list-type use the
2204 // semantics of the list type:
2205 // - 'set': `X + Y` performs a union where the array positions of
2206 // all elements in `X` are preserved and
2207 // non-intersecting elements in `Y` are appended, retaining their
2208 // partial order.
2209 // - 'map': `X + Y` performs a merge where the array positions of
2210 // all keys in `X` are preserved but the values
2211 // are overwritten by values in `Y` when the key sets of `X` and
2212 // `Y` intersect. Elements in `Y` with
2213 // non-intersecting keys are appended, retaining their partial
2214 // order.
2215 // Required.
2216 "expression"!: string
2217
2218 // Message represents the message displayed when validation fails.
2219 // The message is required if the Expression contains
2220 // line breaks. The message must not contain line breaks.
2221 // If unset, the message is "failed rule: {Rule}".
2222 // e.g. "must be a URL with the host matching spec.host"
2223 // If the Expression contains line breaks. Message is required.
2224 // The message must not contain line breaks.
2225 // If unset, the message is "failed Expression: {Expression}".
2226 "message"?: string
2227
2228 // messageExpression declares a CEL expression that evaluates to
2229 // the validation failure message that is returned when this rule
2230 // fails.
2231 // Since messageExpression is used as a failure message, it must
2232 // evaluate to a string.
2233 // If both message and messageExpression are present on a
2234 // validation, then messageExpression will be used if validation
2235 // fails.
2236 // If messageExpression results in a runtime error, the runtime
2237 // error is logged, and the validation failure message is
2238 // produced
2239 // as if the messageExpression field were unset. If
2240 // messageExpression evaluates to an empty string, a string with
2241 // only spaces, or a string
2242 // that contains line breaks, then the validation failure message
2243 // will also be produced as if the messageExpression field were
2244 // unset, and
2245 // the fact that messageExpression produced an empty string/string
2246 // with only spaces/string with line breaks will be logged.
2247 // messageExpression has access to all the same variables as the
2248 // `expression` except for 'authorizer' and
2249 // 'authorizer.requestResource'.
2250 // Example:
2251 // "object.x must be less than max ("+string(params.max)+")"
2252 "messageExpression"?: string
2253
2254 // Reason represents a machine-readable description of why this
2255 // validation failed.
2256 // If this is the first validation in the list to fail, this
2257 // reason, as well as the
2258 // corresponding HTTP response code, are used in the
2259 // HTTP response to the client.
2260 // The currently supported reasons are: "Unauthorized",
2261 // "Forbidden", "Invalid", "RequestEntityTooLarge".
2262 // If not set, StatusReasonInvalid is used in the response to the
2263 // client.
2264 "reason"?: string
2265 }]
2266
2267 // ParamKind is a tuple of Group Kind and Version.
2268 "paramKind"?: {
2269 // APIVersion is the API group version the resources belong to.
2270 // In format of "group/version".
2271 // Required.
2272 "apiVersion"?: string
2273
2274 // Kind is the API kind the resources belong to.
2275 // Required.
2276 "kind"?: string
2277 }
2278
2279 // ParamRef references a parameter resource.
2280 "paramRef"?: {
2281 // name is the name of the resource being referenced.
2282 //
2283 // One of `name` or `selector` must be set, but `name` and
2284 // `selector` are
2285 // mutually exclusive properties. If one is set, the other must be
2286 // unset.
2287 //
2288 // A single parameter used for all admission requests can be
2289 // configured
2290 // by setting the `name` field, leaving `selector` blank, and
2291 // setting namespace
2292 // if `paramKind` is namespace-scoped.
2293 "name"?: string
2294
2295 // namespace is the namespace of the referenced resource. Allows
2296 // limiting
2297 // the search for params to a specific namespace. Applies to both
2298 // `name` and
2299 // `selector` fields.
2300 //
2301 // A per-namespace parameter may be used by specifying a
2302 // namespace-scoped
2303 // `paramKind` in the policy and leaving this field empty.
2304 //
2305 // - If `paramKind` is cluster-scoped, this field MUST be unset.
2306 // Setting this
2307 // field results in a configuration error.
2308 //
2309 // - If `paramKind` is namespace-scoped, the namespace of the
2310 // object being
2311 // evaluated for admission will be used when this field is left
2312 // unset. Take
2313 // care that if this is left empty the binding must not match any
2314 // cluster-scoped
2315 // resources, which will result in an error.
2316 "namespace"?: string
2317
2318 // `parameterNotFoundAction` controls the behavior of the binding
2319 // when the resource
2320 // exists, and name or selector is valid, but there are no
2321 // parameters
2322 // matched by the binding. If the value is set to `Allow`, then no
2323 // matched parameters will be treated as successful validation by
2324 // the binding.
2325 // If set to `Deny`, then no matched parameters will be subject to
2326 // the
2327 // `failurePolicy` of the policy.
2328 //
2329 // Allowed values are `Allow` or `Deny`
2330 //
2331 // Required
2332 "parameterNotFoundAction"?: string
2333
2334 // selector can be used to match multiple param objects based on
2335 // their labels.
2336 // Supply selector: {} to match all resources of the ParamKind.
2337 //
2338 // If multiple params are found, they are all evaluated with the
2339 // policy expressions
2340 // and the results are ANDed together.
2341 //
2342 // One of `name` or `selector` must be set, but `name` and
2343 // `selector` are
2344 // mutually exclusive properties. If one is set, the other must be
2345 // unset.
2346 "selector"?: {
2347 // matchExpressions is a list of label selector requirements. The
2348 // requirements are ANDed.
2349 "matchExpressions"?: [...{
2350 // key is the label key that the selector applies to.
2351 "key"!: string
2352
2353 // operator represents a key's relationship to a set of values.
2354 // Valid operators are In, NotIn, Exists and DoesNotExist.
2355 "operator"!: string
2356
2357 // values is an array of string values. If the operator is In or
2358 // NotIn,
2359 // the values array must be non-empty. If the operator is Exists
2360 // or DoesNotExist,
2361 // the values array must be empty. This array is replaced during a
2362 // strategic
2363 // merge patch.
2364 "values"?: [...string]
2365 }]
2366
2367 // matchLabels is a map of {key,value} pairs. A single {key,value}
2368 // in the matchLabels
2369 // map is equivalent to an element of matchExpressions, whose key
2370 // field is "key", the
2371 // operator is "In", and the values array contains only "value".
2372 // The requirements are ANDed.
2373 "matchLabels"?: {
2374 [string]: string
2375 }
2376 }
2377 }
2378
2379 // Variables contain definitions of variables that can be used in
2380 // composition of other expressions.
2381 // Each variable is defined as a named CEL expression.
2382 // The variables defined here will be available under `variables`
2383 // in other expressions of the policy.
2384 "variables"?: [...{
2385 // Expression is the expression that will be evaluated as the
2386 // value of the variable.
2387 // The CEL expression has access to the same identifiers as the
2388 // CEL expressions in Validation.
2389 "expression"!: string
2390
2391 // Name is the name of the variable. The name must be a valid CEL
2392 // identifier and unique among all variables.
2393 // The variable can be accessed in other expressions through
2394 // `variables`
2395 // For example, if name is "foo", the variable will be available
2396 // as `variables.foo`
2397 "name"!: string
2398 }]
2399 }
2400
2401 // Deny defines conditions used to pass or fail a validation rule.
2402 "deny"?: {
2403 // Multiple conditions can be declared under an `any` or `all`
2404 // statement.
2405 // See:
2406 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2407 "conditions"?: {
2408 // AllConditions enable variable-based conditional rule execution.
2409 // This is useful for
2410 // finer control of when an rule is applied. A condition can
2411 // reference object data
2412 // using JMESPath notation.
2413 // Here, all of the conditions need to pass.
2414 "all"?: [...{
2415 // Key is the context entry (using JMESPath) for conditional rule
2416 // evaluation.
2417 "key"?: null | bool | number | string | [...] | {
2418 ...
2419 }
2420
2421 // Message is an optional display message
2422 "message"?: string
2423
2424 // Operator is the conditional operation to perform. Valid
2425 // operators are:
2426 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2427 // GreaterThanOrEquals,
2428 // GreaterThan, LessThanOrEquals, LessThan,
2429 // DurationGreaterThanOrEquals, DurationGreaterThan,
2430 // DurationLessThanOrEquals, DurationLessThan
2431 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2432
2433 // Value is the conditional value, or set of values. The values
2434 // can be fixed set
2435 // or can be variables declared using JMESPath.
2436 "value"?: null | bool | number | string | [...] | {
2437 ...
2438 }
2439 }]
2440
2441 // AnyConditions enable variable-based conditional rule execution.
2442 // This is useful for
2443 // finer control of when an rule is applied. A condition can
2444 // reference object data
2445 // using JMESPath notation.
2446 // Here, at least one of the conditions need to pass.
2447 "any"?: [...{
2448 // Key is the context entry (using JMESPath) for conditional rule
2449 // evaluation.
2450 "key"?: null | bool | number | string | [...] | {
2451 ...
2452 }
2453
2454 // Message is an optional display message
2455 "message"?: string
2456
2457 // Operator is the conditional operation to perform. Valid
2458 // operators are:
2459 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2460 // GreaterThanOrEquals,
2461 // GreaterThan, LessThanOrEquals, LessThan,
2462 // DurationGreaterThanOrEquals, DurationGreaterThan,
2463 // DurationLessThanOrEquals, DurationLessThan
2464 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2465
2466 // Value is the conditional value, or set of values. The values
2467 // can be fixed set
2468 // or can be variables declared using JMESPath.
2469 "value"?: null | bool | number | string | [...] | {
2470 ...
2471 }
2472 }]
2473 }
2474 }
2475
2476 // FailureAction defines if a validation policy rule violation
2477 // should block
2478 // the admission review request (Enforce), or allow (Audit) the
2479 // admission review request
2480 // and report an error in a policy report. Optional.
2481 // Allowed values are Audit or Enforce.
2482 "failureAction"?: "Audit" | "Enforce"
2483
2484 // FailureActionOverrides is a Cluster Policy attribute that
2485 // specifies FailureAction
2486 // namespace-wise. It overrides FailureAction for the specified
2487 // namespaces.
2488 "failureActionOverrides"?: [...{
2489 // ValidationFailureAction defines the policy validation failure
2490 // action
2491 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
2492
2493 // A label selector is a label query over a set of resources. The
2494 // result of matchLabels and
2495 // matchExpressions are ANDed. An empty label selector matches all
2496 // objects. A null
2497 // label selector matches no objects.
2498 "namespaceSelector"?: {
2499 // matchExpressions is a list of label selector requirements. The
2500 // requirements are ANDed.
2501 "matchExpressions"?: [...{
2502 // key is the label key that the selector applies to.
2503 "key"!: string
2504
2505 // operator represents a key's relationship to a set of values.
2506 // Valid operators are In, NotIn, Exists and DoesNotExist.
2507 "operator"!: string
2508
2509 // values is an array of string values. If the operator is In or
2510 // NotIn,
2511 // the values array must be non-empty. If the operator is Exists
2512 // or DoesNotExist,
2513 // the values array must be empty. This array is replaced during a
2514 // strategic
2515 // merge patch.
2516 "values"?: [...string]
2517 }]
2518
2519 // matchLabels is a map of {key,value} pairs. A single {key,value}
2520 // in the matchLabels
2521 // map is equivalent to an element of matchExpressions, whose key
2522 // field is "key", the
2523 // operator is "In", and the values array contains only "value".
2524 // The requirements are ANDed.
2525 "matchLabels"?: {
2526 [string]: string
2527 }
2528 }
2529 "namespaces"?: [...string]
2530 }]
2531
2532 // ForEach applies validate rules to a list of sub-elements by
2533 // creating a context for each entry in the list and looping over
2534 // it to apply the specified logic.
2535 "foreach"?: [...{
2536 // AnyPattern specifies list of validation patterns. At least one
2537 // of the patterns
2538 // must be satisfied for the validation rule to succeed.
2539 "anyPattern"?: null | bool | number | string | [...] | {
2540 ...
2541 }
2542
2543 // Context defines variables and data sources that can be used
2544 // during rule execution.
2545 "context"?: [...matchN(1, [{
2546 "configMap"!: _
2547 }, {
2548 "apiCall"!: _
2549 }, {
2550 "imageRegistry"!: _
2551 }, {
2552 "variable"!: _
2553 }, {
2554 "globalReference"!: _
2555 }]) & {
2556 // APICall is an HTTP request to the Kubernetes API server, or
2557 // other JSON web service.
2558 // The data returned is stored in the context with the name for
2559 // the context entry.
2560 "apiCall"?: {
2561 // The data object specifies the POST data sent to the server.
2562 // Only applicable when the method field is set to POST.
2563 "data"?: [...{
2564 // Key is a unique identifier for the data value
2565 "key"!: string
2566
2567 // Value is the data value
2568 "value"!: null | bool | number | string | [...] | {
2569 ...
2570 }
2571 }]
2572
2573 // Default is an optional arbitrary JSON object that the context
2574 // value is set to, if the apiCall returns error.
2575 "default"?: null | bool | number | string | [...] | {
2576 ...
2577 }
2578
2579 // JMESPath is an optional JSON Match Expression that can be used
2580 // to
2581 // transform the JSON response returned from the server. For
2582 // example
2583 // a JMESPath of "items | length(@)" applied to the API server
2584 // response
2585 // for the URLPath "/apis/apps/v1/deployments" will return the
2586 // total count
2587 // of deployments across all namespaces.
2588 "jmesPath"?: string
2589
2590 // Method is the HTTP request type (GET or POST). Defaults to GET.
2591 "method"?: "GET" | "POST"
2592
2593 // Service is an API call to a JSON web service.
2594 // This is used for non-Kubernetes API server calls.
2595 // It's mutually exclusive with the URLPath field.
2596 "service"?: {
2597 // CABundle is a PEM encoded CA bundle which will be used to
2598 // validate
2599 // the server certificate.
2600 "caBundle"?: string
2601
2602 // Headers is a list of optional HTTP headers to be included in
2603 // the request.
2604 "headers"?: [...{
2605 // Key is the header key
2606 "key"!: string
2607
2608 // Value is the header value
2609 "value"!: string
2610 }]
2611
2612 // URL is the JSON web service URL. A typical form is
2613 // `https://{service}.{namespace}:{port}/{path}`.
2614 "url"!: string
2615 }
2616
2617 // URLPath is the URL path to be used in the HTTP GET or POST
2618 // request to the
2619 // Kubernetes API server (e.g. "/api/v1/namespaces" or
2620 // "/apis/apps/v1/deployments").
2621 // The format required is the same format used by the `kubectl get
2622 // --raw` command.
2623 // See
2624 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
2625 // for details.
2626 // It's mutually exclusive with the Service field.
2627 "urlPath"?: string
2628 }
2629
2630 // ConfigMap is the ConfigMap reference.
2631 "configMap"?: {
2632 // Name is the ConfigMap name.
2633 "name"!: string
2634
2635 // Namespace is the ConfigMap namespace.
2636 "namespace"?: string
2637 }
2638
2639 // GlobalContextEntryReference is a reference to a cached global
2640 // context entry.
2641 "globalReference"?: {
2642 // JMESPath is an optional JSON Match Expression that can be used
2643 // to
2644 // transform the JSON response returned from the server. For
2645 // example
2646 // a JMESPath of "items | length(@)" applied to the API server
2647 // response
2648 // for the URLPath "/apis/apps/v1/deployments" will return the
2649 // total count
2650 // of deployments across all namespaces.
2651 "jmesPath"?: string
2652
2653 // Name of the global context entry
2654 "name"!: string
2655 }
2656
2657 // ImageRegistry defines requests to an OCI/Docker V2 registry to
2658 // fetch image
2659 // details.
2660 "imageRegistry"?: {
2661 // ImageRegistryCredentials provides credentials that will be used
2662 // for authentication with registry
2663 "imageRegistryCredentials"?: {
2664 // AllowInsecureRegistry allows insecure access to a registry.
2665 "allowInsecureRegistry"?: bool
2666
2667 // Providers specifies a list of OCI Registry names, whose
2668 // authentication providers are provided.
2669 // It can be of one of these values:
2670 // default,google,azure,amazon,github.
2671 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
2672
2673 // Secrets specifies a list of secrets that are provided for
2674 // credentials.
2675 // Secrets must live in the Kyverno namespace.
2676 "secrets"?: [...string]
2677 }
2678
2679 // JMESPath is an optional JSON Match Expression that can be used
2680 // to
2681 // transform the ImageData struct returned as a result of
2682 // processing
2683 // the image reference.
2684 "jmesPath"?: string
2685
2686 // Reference is image reference to a container image in the
2687 // registry.
2688 // Example: ghcr.io/kyverno/kyverno:latest
2689 "reference"!: string
2690 }
2691
2692 // Name is the variable name.
2693 "name"!: string
2694
2695 // Variable defines an arbitrary JMESPath context variable that
2696 // can be defined inline.
2697 "variable"?: {
2698 // Default is an optional arbitrary JSON object that the variable
2699 // may take if the JMESPath
2700 // expression evaluates to nil
2701 "default"?: null | bool | number | string | [...] | {
2702 ...
2703 }
2704
2705 // JMESPath is an optional JMESPath Expression that can be used to
2706 // transform the variable.
2707 "jmesPath"?: string
2708
2709 // Value is any arbitrary JSON object representable in YAML or
2710 // JSON form.
2711 "value"?: null | bool | number | string | [...] | {
2712 ...
2713 }
2714 }
2715 }]
2716
2717 // Deny defines conditions used to pass or fail a validation rule.
2718 "deny"?: {
2719 // Multiple conditions can be declared under an `any` or `all`
2720 // statement. A direct list
2721 // of conditions (without `any` or `all` statements) is also
2722 // supported for backwards compatibility
2723 // but will be deprecated in the next major release.
2724 // See:
2725 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
2726 "conditions"?: null | bool | number | string | [...] | {
2727 ...
2728 }
2729 }
2730
2731 // ElementScope specifies whether to use the current list element
2732 // as the scope for validation. Defaults to "true" if not
2733 // specified.
2734 // When set to "false", "request.object" is used as the validation
2735 // scope within the foreach
2736 // block to allow referencing other elements in the subtree.
2737 "elementScope"?: bool
2738
2739 // Foreach declares a nested foreach iterator
2740 "foreach"?: null | bool | number | string | [...] | {
2741 ...
2742 }
2743
2744 // List specifies a JMESPath expression that results in one or
2745 // more elements
2746 // to which the validation logic is applied.
2747 "list"?: string
2748
2749 // Pattern specifies an overlay-style pattern used to check
2750 // resources.
2751 "pattern"?: null | bool | number | string | [...] | {
2752 ...
2753 }
2754
2755 // AnyAllConditions are used to determine if a policy rule should
2756 // be applied by evaluating a
2757 // set of conditions. The declaration can contain nested `any` or
2758 // `all` statements.
2759 // See: https://kyverno.io/docs/writing-policies/preconditions/
2760 "preconditions"?: {
2761 // AllConditions enable variable-based conditional rule execution.
2762 // This is useful for
2763 // finer control of when an rule is applied. A condition can
2764 // reference object data
2765 // using JMESPath notation.
2766 // Here, all of the conditions need to pass
2767 "all"?: [...{
2768 // Key is the context entry (using JMESPath) for conditional rule
2769 // evaluation.
2770 "key"?: null | bool | number | string | [...] | {
2771 ...
2772 }
2773
2774 // Message is an optional display message
2775 "message"?: string
2776
2777 // Operator is the conditional operation to perform. Valid
2778 // operators are:
2779 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2780 // GreaterThanOrEquals,
2781 // GreaterThan, LessThanOrEquals, LessThan,
2782 // DurationGreaterThanOrEquals, DurationGreaterThan,
2783 // DurationLessThanOrEquals, DurationLessThan
2784 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2785
2786 // Value is the conditional value, or set of values. The values
2787 // can be fixed set
2788 // or can be variables declared using JMESPath.
2789 "value"?: null | bool | number | string | [...] | {
2790 ...
2791 }
2792 }]
2793
2794 // AnyConditions enable variable-based conditional rule execution.
2795 // This is useful for
2796 // finer control of when an rule is applied. A condition can
2797 // reference object data
2798 // using JMESPath notation.
2799 // Here, at least one of the conditions need to pass
2800 "any"?: [...{
2801 // Key is the context entry (using JMESPath) for conditional rule
2802 // evaluation.
2803 "key"?: null | bool | number | string | [...] | {
2804 ...
2805 }
2806
2807 // Message is an optional display message
2808 "message"?: string
2809
2810 // Operator is the conditional operation to perform. Valid
2811 // operators are:
2812 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
2813 // GreaterThanOrEquals,
2814 // GreaterThan, LessThanOrEquals, LessThan,
2815 // DurationGreaterThanOrEquals, DurationGreaterThan,
2816 // DurationLessThanOrEquals, DurationLessThan
2817 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
2818
2819 // Value is the conditional value, or set of values. The values
2820 // can be fixed set
2821 // or can be variables declared using JMESPath.
2822 "value"?: null | bool | number | string | [...] | {
2823 ...
2824 }
2825 }]
2826 ...
2827 }
2828 }]
2829
2830 // Manifest specifies conditions for manifest verification
2831 "manifests"?: {
2832 // AnnotationDomain is custom domain of annotation for message and
2833 // signature. Default is "cosign.sigstore.dev".
2834 "annotationDomain"?: string
2835
2836 // Attestors specified the required attestors (i.e. authorities)
2837 "attestors"?: [...{
2838 // Count specifies the required number of entries that must match.
2839 // If the count is null, all entries must match
2840 // (a logical AND). If the count is 1, at least one entry must
2841 // match (a logical OR). If the count contains a
2842 // value N, then N must be less than or equal to the size of
2843 // entries, and at least N entries must match.
2844 "count"?: int & >=1
2845
2846 // Entries contains the available attestors. An attestor can be a
2847 // static key,
2848 // attributes for keyless verification, or a nested attestor
2849 // declaration.
2850 "entries"?: [...{
2851 // Annotations are used for image verification.
2852 // Every specified key-value pair must exist and match in the
2853 // verified payload.
2854 // The payload may contain other key-value pairs.
2855 "annotations"?: [string]: string
2856
2857 // Attestor is a nested set of Attestor used to specify a more
2858 // complex set of match authorities.
2859 "attestor"?: null | bool | number | string | [...] | {
2860 ...
2861 }
2862
2863 // Certificates specifies one or more certificates.
2864 "certificates"?: {
2865 // Cert is an optional PEM-encoded public certificate.
2866 "cert"?: string
2867
2868 // CertChain is an optional PEM encoded set of certificates used
2869 // to verify.
2870 "certChain"?: string
2871
2872 // CTLog (certificate timestamp log) provides a configuration for
2873 // validation of Signed Certificate
2874 // Timestamps (SCTs). If the value is unset, the default behavior
2875 // by Cosign is used.
2876 "ctlog"?: {
2877 // IgnoreSCT defines whether to use the Signed Certificate
2878 // Timestamp (SCT) log to check for a certificate
2879 // timestamp. Default is false. Set to true if this was opted out
2880 // during signing.
2881 "ignoreSCT"?: bool
2882
2883 // PubKey, if set, is used to validate SCTs against a custom
2884 // source.
2885 "pubkey"?: string
2886
2887 // TSACertChain, if set, is the PEM-encoded certificate chain file
2888 // for the RFC3161 timestamp authority. Must
2889 // contain the root CA certificate. Optionally may contain
2890 // intermediate CA certificates, and
2891 // may contain the leaf TSA certificate if not present in the
2892 // timestamurce.
2893 "tsaCertChain"?: string
2894 }
2895
2896 // Rekor provides configuration for the Rekor transparency log
2897 // service. If an empty object
2898 // is provided the public instance of Rekor
2899 // (https://rekor.sigstore.dev) is used.
2900 "rekor"?: {
2901 // IgnoreTlog skips transparency log verification.
2902 "ignoreTlog"?: bool
2903
2904 // RekorPubKey is an optional PEM-encoded public key to use for a
2905 // custom Rekor.
2906 // If set, this will be used to validate transparency log
2907 // signatures from a custom Rekor.
2908 "pubkey"?: string
2909
2910 // URL is the address of the transparency log. Defaults to the
2911 // public Rekor log instance https://rekor.sigstore.dev.
2912 "url"?: string
2913 }
2914 }
2915
2916 // Keyless is a set of attribute used to verify a Sigstore keyless
2917 // attestor.
2918 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
2919 "keyless"?: {
2920 // AdditionalExtensions are certificate-extensions used for
2921 // keyless signing.
2922 "additionalExtensions"?: [string]: string
2923
2924 // CTLog (certificate timestamp log) provides a configuration for
2925 // validation of Signed Certificate
2926 // Timestamps (SCTs). If the value is unset, the default behavior
2927 // by Cosign is used.
2928 "ctlog"?: {
2929 // IgnoreSCT defines whether to use the Signed Certificate
2930 // Timestamp (SCT) log to check for a certificate
2931 // timestamp. Default is false. Set to true if this was opted out
2932 // during signing.
2933 "ignoreSCT"?: bool
2934
2935 // PubKey, if set, is used to validate SCTs against a custom
2936 // source.
2937 "pubkey"?: string
2938
2939 // TSACertChain, if set, is the PEM-encoded certificate chain file
2940 // for the RFC3161 timestamp authority. Must
2941 // contain the root CA certificate. Optionally may contain
2942 // intermediate CA certificates, and
2943 // may contain the leaf TSA certificate if not present in the
2944 // timestamurce.
2945 "tsaCertChain"?: string
2946 }
2947
2948 // Issuer is the certificate issuer used for keyless signing.
2949 "issuer"?: string
2950
2951 // IssuerRegExp is the regular expression to match certificate
2952 // issuer used for keyless signing.
2953 "issuerRegExp"?: string
2954
2955 // Rekor provides configuration for the Rekor transparency log
2956 // service. If an empty object
2957 // is provided the public instance of Rekor
2958 // (https://rekor.sigstore.dev) is used.
2959 "rekor"?: {
2960 // IgnoreTlog skips transparency log verification.
2961 "ignoreTlog"?: bool
2962
2963 // RekorPubKey is an optional PEM-encoded public key to use for a
2964 // custom Rekor.
2965 // If set, this will be used to validate transparency log
2966 // signatures from a custom Rekor.
2967 "pubkey"?: string
2968
2969 // URL is the address of the transparency log. Defaults to the
2970 // public Rekor log instance https://rekor.sigstore.dev.
2971 "url"?: string
2972 }
2973
2974 // Roots is an optional set of PEM encoded trusted root
2975 // certificates.
2976 // If not provided, the system roots are used.
2977 "roots"?: string
2978
2979 // Subject is the verified identity used for keyless signing, for
2980 // example the email address.
2981 "subject"?: string
2982
2983 // SubjectRegExp is the regular expression to match identity used
2984 // for keyless signing, for example the email address.
2985 "subjectRegExp"?: string
2986 }
2987
2988 // Keys specifies one or more public keys.
2989 "keys"?: {
2990 // CTLog (certificate timestamp log) provides a configuration for
2991 // validation of Signed Certificate
2992 // Timestamps (SCTs). If the value is unset, the default behavior
2993 // by Cosign is used.
2994 "ctlog"?: {
2995 // IgnoreSCT defines whether to use the Signed Certificate
2996 // Timestamp (SCT) log to check for a certificate
2997 // timestamp. Default is false. Set to true if this was opted out
2998 // during signing.
2999 "ignoreSCT"?: bool
3000
3001 // PubKey, if set, is used to validate SCTs against a custom
3002 // source.
3003 "pubkey"?: string
3004
3005 // TSACertChain, if set, is the PEM-encoded certificate chain file
3006 // for the RFC3161 timestamp authority. Must
3007 // contain the root CA certificate. Optionally may contain
3008 // intermediate CA certificates, and
3009 // may contain the leaf TSA certificate if not present in the
3010 // timestamurce.
3011 "tsaCertChain"?: string
3012 }
3013
3014 // KMS provides the URI to the public key stored in a Key
3015 // Management System. See:
3016 // https://github.com/sigstore/cosign/blob/main/KMS.md
3017 "kms"?: string
3018
3019 // Keys is a set of X.509 public keys used to verify image
3020 // signatures. The keys can be directly
3021 // specified or can be a variable reference to a key specified in
3022 // a ConfigMap (see
3023 // https://kyverno.io/docs/writing-policies/variables/), or
3024 // reference a standard Kubernetes Secret
3025 // elsewhere in the cluster by specifying it in the format
3026 // "k8s://<namespace>/<secret_name>".
3027 // The named Secret must specify a key `cosign.pub` containing the
3028 // public key used for
3029 // verification, (see
3030 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3031 // When multiple keys are specified each key is processed as a
3032 // separate staticKey entry
3033 // (.attestors[*].entries.keys) within the set of attestors and
3034 // the count is applied across the keys.
3035 "publicKeys"?: string
3036
3037 // Rekor provides configuration for the Rekor transparency log
3038 // service. If an empty object
3039 // is provided the public instance of Rekor
3040 // (https://rekor.sigstore.dev) is used.
3041 "rekor"?: {
3042 // IgnoreTlog skips transparency log verification.
3043 "ignoreTlog"?: bool
3044
3045 // RekorPubKey is an optional PEM-encoded public key to use for a
3046 // custom Rekor.
3047 // If set, this will be used to validate transparency log
3048 // signatures from a custom Rekor.
3049 "pubkey"?: string
3050
3051 // URL is the address of the transparency log. Defaults to the
3052 // public Rekor log instance https://rekor.sigstore.dev.
3053 "url"?: string
3054 }
3055
3056 // Reference to a Secret resource that contains a public key
3057 "secret"?: {
3058 // Name of the secret. The provided secret must contain a key
3059 // named cosign.pub.
3060 "name"!: string
3061
3062 // Namespace name where the Secret exists.
3063 "namespace"!: string
3064 }
3065
3066 // Deprecated. Use attestor.signatureAlgorithm instead.
3067 "signatureAlgorithm"?: string
3068 }
3069
3070 // Repository is an optional alternate OCI repository to use for
3071 // signatures and attestations that match this rule.
3072 // If specified Repository will override other OCI image
3073 // repository locations for this Attestor.
3074 "repository"?: string
3075
3076 // Specify signature algorithm for public keys. Supported values
3077 // are sha224, sha256, sha384 and sha512.
3078 "signatureAlgorithm"?: string
3079 }]
3080 }]
3081
3082 // DryRun configuration
3083 "dryRun"?: {
3084 "enable"?: bool
3085 "namespace"?: string
3086 }
3087
3088 // Fields which will be ignored while comparing manifests.
3089 "ignoreFields"?: [...{
3090 "fields"?: [...string]
3091 "objects"?: [...{
3092 "group"?: string
3093 "kind"?: string
3094 "name"?: string
3095 "namespace"?: string
3096 "version"?: string
3097 }]
3098 }]
3099
3100 // Repository is an optional alternate OCI repository to use for
3101 // resource bundle reference.
3102 // The repository can be overridden per Attestor or Attestation.
3103 "repository"?: string
3104 }
3105
3106 // Message specifies a custom message to be displayed on failure.
3107 "message"?: string
3108
3109 // Pattern specifies an overlay-style pattern used to check
3110 // resources.
3111 "pattern"?: null | bool | number | string | [...] | {
3112 ...
3113 }
3114
3115 // PodSecurity applies exemptions for Kubernetes Pod Security
3116 // admission
3117 // by specifying exclusions for Pod Security Standards controls.
3118 "podSecurity"?: {
3119 // Exclude specifies the Pod Security Standard controls to be
3120 // excluded.
3121 "exclude"?: [...{
3122 // ControlName specifies the name of the Pod Security Standard
3123 // control.
3124 // See:
3125 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
3126 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
3127
3128 // Images selects matching containers and applies the container
3129 // level PSS.
3130 // Each image is the image name consisting of the registry
3131 // address, repository, image, and tag.
3132 // Empty list matches no containers, PSS checks are applied at the
3133 // pod level only.
3134 // Wildcards ('*' and '?') are allowed. See:
3135 // https://kubernetes.io/docs/concepts/containers/images.
3136 "images"?: [...string]
3137
3138 // RestrictedField selects the field for the given Pod Security
3139 // Standard control.
3140 // When not set, all restricted fields for the control are
3141 // selected.
3142 "restrictedField"?: string
3143
3144 // Values defines the allowed values that can be excluded.
3145 "values"?: [...string]
3146 }]
3147
3148 // Level defines the Pod Security Standard level to be applied to
3149 // workloads.
3150 // Allowed values are privileged, baseline, and restricted.
3151 "level"?: "privileged" | "baseline" | "restricted"
3152
3153 // Version defines the Pod Security Standard versions that
3154 // Kubernetes supports.
3155 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
3156 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
3157 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
3158 }
3159 }
3160
3161 // VerifyImages is used to verify image signatures and mutate them
3162 // to add a digest
3163 "verifyImages"?: [...{
3164 // Attestations are optional checks for signed in-toto Statements
3165 // used to verify the image.
3166 // See https://github.com/in-toto/attestation. Kyverno fetches
3167 // signed attestations from the
3168 // OCI registry and decodes them into a list of Statement
3169 // declarations.
3170 "attestations"?: [...{
3171 // Attestors specify the required attestors (i.e. authorities).
3172 "attestors"?: [...{
3173 // Count specifies the required number of entries that must match.
3174 // If the count is null, all entries must match
3175 // (a logical AND). If the count is 1, at least one entry must
3176 // match (a logical OR). If the count contains a
3177 // value N, then N must be less than or equal to the size of
3178 // entries, and at least N entries must match.
3179 "count"?: int & >=1
3180
3181 // Entries contains the available attestors. An attestor can be a
3182 // static key,
3183 // attributes for keyless verification, or a nested attestor
3184 // declaration.
3185 "entries"?: [...{
3186 // Annotations are used for image verification.
3187 // Every specified key-value pair must exist and match in the
3188 // verified payload.
3189 // The payload may contain other key-value pairs.
3190 "annotations"?: [string]: string
3191
3192 // Attestor is a nested set of Attestor used to specify a more
3193 // complex set of match authorities.
3194 "attestor"?: null | bool | number | string | [...] | {
3195 ...
3196 }
3197
3198 // Certificates specifies one or more certificates.
3199 "certificates"?: {
3200 // Cert is an optional PEM-encoded public certificate.
3201 "cert"?: string
3202
3203 // CertChain is an optional PEM encoded set of certificates used
3204 // to verify.
3205 "certChain"?: string
3206
3207 // CTLog (certificate timestamp log) provides a configuration for
3208 // validation of Signed Certificate
3209 // Timestamps (SCTs). If the value is unset, the default behavior
3210 // by Cosign is used.
3211 "ctlog"?: {
3212 // IgnoreSCT defines whether to use the Signed Certificate
3213 // Timestamp (SCT) log to check for a certificate
3214 // timestamp. Default is false. Set to true if this was opted out
3215 // during signing.
3216 "ignoreSCT"?: bool
3217
3218 // PubKey, if set, is used to validate SCTs against a custom
3219 // source.
3220 "pubkey"?: string
3221
3222 // TSACertChain, if set, is the PEM-encoded certificate chain file
3223 // for the RFC3161 timestamp authority. Must
3224 // contain the root CA certificate. Optionally may contain
3225 // intermediate CA certificates, and
3226 // may contain the leaf TSA certificate if not present in the
3227 // timestamurce.
3228 "tsaCertChain"?: string
3229 }
3230
3231 // Rekor provides configuration for the Rekor transparency log
3232 // service. If an empty object
3233 // is provided the public instance of Rekor
3234 // (https://rekor.sigstore.dev) is used.
3235 "rekor"?: {
3236 // IgnoreTlog skips transparency log verification.
3237 "ignoreTlog"?: bool
3238
3239 // RekorPubKey is an optional PEM-encoded public key to use for a
3240 // custom Rekor.
3241 // If set, this will be used to validate transparency log
3242 // signatures from a custom Rekor.
3243 "pubkey"?: string
3244
3245 // URL is the address of the transparency log. Defaults to the
3246 // public Rekor log instance https://rekor.sigstore.dev.
3247 "url"?: string
3248 }
3249 }
3250
3251 // Keyless is a set of attribute used to verify a Sigstore keyless
3252 // attestor.
3253 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3254 "keyless"?: {
3255 // AdditionalExtensions are certificate-extensions used for
3256 // keyless signing.
3257 "additionalExtensions"?: [string]: string
3258
3259 // CTLog (certificate timestamp log) provides a configuration for
3260 // validation of Signed Certificate
3261 // Timestamps (SCTs). If the value is unset, the default behavior
3262 // by Cosign is used.
3263 "ctlog"?: {
3264 // IgnoreSCT defines whether to use the Signed Certificate
3265 // Timestamp (SCT) log to check for a certificate
3266 // timestamp. Default is false. Set to true if this was opted out
3267 // during signing.
3268 "ignoreSCT"?: bool
3269
3270 // PubKey, if set, is used to validate SCTs against a custom
3271 // source.
3272 "pubkey"?: string
3273
3274 // TSACertChain, if set, is the PEM-encoded certificate chain file
3275 // for the RFC3161 timestamp authority. Must
3276 // contain the root CA certificate. Optionally may contain
3277 // intermediate CA certificates, and
3278 // may contain the leaf TSA certificate if not present in the
3279 // timestamurce.
3280 "tsaCertChain"?: string
3281 }
3282
3283 // Issuer is the certificate issuer used for keyless signing.
3284 "issuer"?: string
3285
3286 // IssuerRegExp is the regular expression to match certificate
3287 // issuer used for keyless signing.
3288 "issuerRegExp"?: string
3289
3290 // Rekor provides configuration for the Rekor transparency log
3291 // service. If an empty object
3292 // is provided the public instance of Rekor
3293 // (https://rekor.sigstore.dev) is used.
3294 "rekor"?: {
3295 // IgnoreTlog skips transparency log verification.
3296 "ignoreTlog"?: bool
3297
3298 // RekorPubKey is an optional PEM-encoded public key to use for a
3299 // custom Rekor.
3300 // If set, this will be used to validate transparency log
3301 // signatures from a custom Rekor.
3302 "pubkey"?: string
3303
3304 // URL is the address of the transparency log. Defaults to the
3305 // public Rekor log instance https://rekor.sigstore.dev.
3306 "url"?: string
3307 }
3308
3309 // Roots is an optional set of PEM encoded trusted root
3310 // certificates.
3311 // If not provided, the system roots are used.
3312 "roots"?: string
3313
3314 // Subject is the verified identity used for keyless signing, for
3315 // example the email address.
3316 "subject"?: string
3317
3318 // SubjectRegExp is the regular expression to match identity used
3319 // for keyless signing, for example the email address.
3320 "subjectRegExp"?: string
3321 }
3322
3323 // Keys specifies one or more public keys.
3324 "keys"?: {
3325 // CTLog (certificate timestamp log) provides a configuration for
3326 // validation of Signed Certificate
3327 // Timestamps (SCTs). If the value is unset, the default behavior
3328 // by Cosign is used.
3329 "ctlog"?: {
3330 // IgnoreSCT defines whether to use the Signed Certificate
3331 // Timestamp (SCT) log to check for a certificate
3332 // timestamp. Default is false. Set to true if this was opted out
3333 // during signing.
3334 "ignoreSCT"?: bool
3335
3336 // PubKey, if set, is used to validate SCTs against a custom
3337 // source.
3338 "pubkey"?: string
3339
3340 // TSACertChain, if set, is the PEM-encoded certificate chain file
3341 // for the RFC3161 timestamp authority. Must
3342 // contain the root CA certificate. Optionally may contain
3343 // intermediate CA certificates, and
3344 // may contain the leaf TSA certificate if not present in the
3345 // timestamurce.
3346 "tsaCertChain"?: string
3347 }
3348
3349 // KMS provides the URI to the public key stored in a Key
3350 // Management System. See:
3351 // https://github.com/sigstore/cosign/blob/main/KMS.md
3352 "kms"?: string
3353
3354 // Keys is a set of X.509 public keys used to verify image
3355 // signatures. The keys can be directly
3356 // specified or can be a variable reference to a key specified in
3357 // a ConfigMap (see
3358 // https://kyverno.io/docs/writing-policies/variables/), or
3359 // reference a standard Kubernetes Secret
3360 // elsewhere in the cluster by specifying it in the format
3361 // "k8s://<namespace>/<secret_name>".
3362 // The named Secret must specify a key `cosign.pub` containing the
3363 // public key used for
3364 // verification, (see
3365 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3366 // When multiple keys are specified each key is processed as a
3367 // separate staticKey entry
3368 // (.attestors[*].entries.keys) within the set of attestors and
3369 // the count is applied across the keys.
3370 "publicKeys"?: string
3371
3372 // Rekor provides configuration for the Rekor transparency log
3373 // service. If an empty object
3374 // is provided the public instance of Rekor
3375 // (https://rekor.sigstore.dev) is used.
3376 "rekor"?: {
3377 // IgnoreTlog skips transparency log verification.
3378 "ignoreTlog"?: bool
3379
3380 // RekorPubKey is an optional PEM-encoded public key to use for a
3381 // custom Rekor.
3382 // If set, this will be used to validate transparency log
3383 // signatures from a custom Rekor.
3384 "pubkey"?: string
3385
3386 // URL is the address of the transparency log. Defaults to the
3387 // public Rekor log instance https://rekor.sigstore.dev.
3388 "url"?: string
3389 }
3390
3391 // Reference to a Secret resource that contains a public key
3392 "secret"?: {
3393 // Name of the secret. The provided secret must contain a key
3394 // named cosign.pub.
3395 "name"!: string
3396
3397 // Namespace name where the Secret exists.
3398 "namespace"!: string
3399 }
3400
3401 // Deprecated. Use attestor.signatureAlgorithm instead.
3402 "signatureAlgorithm"?: string
3403 }
3404
3405 // Repository is an optional alternate OCI repository to use for
3406 // signatures and attestations that match this rule.
3407 // If specified Repository will override other OCI image
3408 // repository locations for this Attestor.
3409 "repository"?: string
3410
3411 // Specify signature algorithm for public keys. Supported values
3412 // are sha224, sha256, sha384 and sha512.
3413 "signatureAlgorithm"?: string
3414 }]
3415 }]
3416
3417 // Conditions are used to verify attributes within a Predicate. If
3418 // no Conditions are specified
3419 // the attestation check is satisfied as long there are predicates
3420 // that match the predicate type.
3421 "conditions"?: [...{
3422 // AllConditions enable variable-based conditional rule execution.
3423 // This is useful for
3424 // finer control of when an rule is applied. A condition can
3425 // reference object data
3426 // using JMESPath notation.
3427 // Here, all of the conditions need to pass
3428 "all"?: [...{
3429 // Key is the context entry (using JMESPath) for conditional rule
3430 // evaluation.
3431 "key"?: null | bool | number | string | [...] | {
3432 ...
3433 }
3434
3435 // Message is an optional display message
3436 "message"?: string
3437
3438 // Operator is the conditional operation to perform. Valid
3439 // operators are:
3440 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3441 // GreaterThanOrEquals,
3442 // GreaterThan, LessThanOrEquals, LessThan,
3443 // DurationGreaterThanOrEquals, DurationGreaterThan,
3444 // DurationLessThanOrEquals, DurationLessThan
3445 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3446
3447 // Value is the conditional value, or set of values. The values
3448 // can be fixed set
3449 // or can be variables declared using JMESPath.
3450 "value"?: null | bool | number | string | [...] | {
3451 ...
3452 }
3453 }]
3454
3455 // AnyConditions enable variable-based conditional rule execution.
3456 // This is useful for
3457 // finer control of when an rule is applied. A condition can
3458 // reference object data
3459 // using JMESPath notation.
3460 // Here, at least one of the conditions need to pass
3461 "any"?: [...{
3462 // Key is the context entry (using JMESPath) for conditional rule
3463 // evaluation.
3464 "key"?: null | bool | number | string | [...] | {
3465 ...
3466 }
3467
3468 // Message is an optional display message
3469 "message"?: string
3470
3471 // Operator is the conditional operation to perform. Valid
3472 // operators are:
3473 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
3474 // GreaterThanOrEquals,
3475 // GreaterThan, LessThanOrEquals, LessThan,
3476 // DurationGreaterThanOrEquals, DurationGreaterThan,
3477 // DurationLessThanOrEquals, DurationLessThan
3478 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
3479
3480 // Value is the conditional value, or set of values. The values
3481 // can be fixed set
3482 // or can be variables declared using JMESPath.
3483 "value"?: null | bool | number | string | [...] | {
3484 ...
3485 }
3486 }]
3487 }]
3488
3489 // Name is the variable name.
3490 "name"?: string
3491
3492 // Deprecated in favour of 'Type', to be removed soon
3493 "predicateType"?: string
3494
3495 // Type defines the type of attestation contained within the
3496 // Statement.
3497 "type"?: string
3498 }]
3499
3500 // Attestors specified the required attestors (i.e. authorities)
3501 "attestors"?: [...{
3502 // Count specifies the required number of entries that must match.
3503 // If the count is null, all entries must match
3504 // (a logical AND). If the count is 1, at least one entry must
3505 // match (a logical OR). If the count contains a
3506 // value N, then N must be less than or equal to the size of
3507 // entries, and at least N entries must match.
3508 "count"?: int & >=1
3509
3510 // Entries contains the available attestors. An attestor can be a
3511 // static key,
3512 // attributes for keyless verification, or a nested attestor
3513 // declaration.
3514 "entries"?: [...{
3515 // Annotations are used for image verification.
3516 // Every specified key-value pair must exist and match in the
3517 // verified payload.
3518 // The payload may contain other key-value pairs.
3519 "annotations"?: [string]: string
3520
3521 // Attestor is a nested set of Attestor used to specify a more
3522 // complex set of match authorities.
3523 "attestor"?: null | bool | number | string | [...] | {
3524 ...
3525 }
3526
3527 // Certificates specifies one or more certificates.
3528 "certificates"?: {
3529 // Cert is an optional PEM-encoded public certificate.
3530 "cert"?: string
3531
3532 // CertChain is an optional PEM encoded set of certificates used
3533 // to verify.
3534 "certChain"?: string
3535
3536 // CTLog (certificate timestamp log) provides a configuration for
3537 // validation of Signed Certificate
3538 // Timestamps (SCTs). If the value is unset, the default behavior
3539 // by Cosign is used.
3540 "ctlog"?: {
3541 // IgnoreSCT defines whether to use the Signed Certificate
3542 // Timestamp (SCT) log to check for a certificate
3543 // timestamp. Default is false. Set to true if this was opted out
3544 // during signing.
3545 "ignoreSCT"?: bool
3546
3547 // PubKey, if set, is used to validate SCTs against a custom
3548 // source.
3549 "pubkey"?: string
3550
3551 // TSACertChain, if set, is the PEM-encoded certificate chain file
3552 // for the RFC3161 timestamp authority. Must
3553 // contain the root CA certificate. Optionally may contain
3554 // intermediate CA certificates, and
3555 // may contain the leaf TSA certificate if not present in the
3556 // timestamurce.
3557 "tsaCertChain"?: string
3558 }
3559
3560 // Rekor provides configuration for the Rekor transparency log
3561 // service. If an empty object
3562 // is provided the public instance of Rekor
3563 // (https://rekor.sigstore.dev) is used.
3564 "rekor"?: {
3565 // IgnoreTlog skips transparency log verification.
3566 "ignoreTlog"?: bool
3567
3568 // RekorPubKey is an optional PEM-encoded public key to use for a
3569 // custom Rekor.
3570 // If set, this will be used to validate transparency log
3571 // signatures from a custom Rekor.
3572 "pubkey"?: string
3573
3574 // URL is the address of the transparency log. Defaults to the
3575 // public Rekor log instance https://rekor.sigstore.dev.
3576 "url"?: string
3577 }
3578 }
3579
3580 // Keyless is a set of attribute used to verify a Sigstore keyless
3581 // attestor.
3582 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
3583 "keyless"?: {
3584 // AdditionalExtensions are certificate-extensions used for
3585 // keyless signing.
3586 "additionalExtensions"?: [string]: string
3587
3588 // CTLog (certificate timestamp log) provides a configuration for
3589 // validation of Signed Certificate
3590 // Timestamps (SCTs). If the value is unset, the default behavior
3591 // by Cosign is used.
3592 "ctlog"?: {
3593 // IgnoreSCT defines whether to use the Signed Certificate
3594 // Timestamp (SCT) log to check for a certificate
3595 // timestamp. Default is false. Set to true if this was opted out
3596 // during signing.
3597 "ignoreSCT"?: bool
3598
3599 // PubKey, if set, is used to validate SCTs against a custom
3600 // source.
3601 "pubkey"?: string
3602
3603 // TSACertChain, if set, is the PEM-encoded certificate chain file
3604 // for the RFC3161 timestamp authority. Must
3605 // contain the root CA certificate. Optionally may contain
3606 // intermediate CA certificates, and
3607 // may contain the leaf TSA certificate if not present in the
3608 // timestamurce.
3609 "tsaCertChain"?: string
3610 }
3611
3612 // Issuer is the certificate issuer used for keyless signing.
3613 "issuer"?: string
3614
3615 // IssuerRegExp is the regular expression to match certificate
3616 // issuer used for keyless signing.
3617 "issuerRegExp"?: string
3618
3619 // Rekor provides configuration for the Rekor transparency log
3620 // service. If an empty object
3621 // is provided the public instance of Rekor
3622 // (https://rekor.sigstore.dev) is used.
3623 "rekor"?: {
3624 // IgnoreTlog skips transparency log verification.
3625 "ignoreTlog"?: bool
3626
3627 // RekorPubKey is an optional PEM-encoded public key to use for a
3628 // custom Rekor.
3629 // If set, this will be used to validate transparency log
3630 // signatures from a custom Rekor.
3631 "pubkey"?: string
3632
3633 // URL is the address of the transparency log. Defaults to the
3634 // public Rekor log instance https://rekor.sigstore.dev.
3635 "url"?: string
3636 }
3637
3638 // Roots is an optional set of PEM encoded trusted root
3639 // certificates.
3640 // If not provided, the system roots are used.
3641 "roots"?: string
3642
3643 // Subject is the verified identity used for keyless signing, for
3644 // example the email address.
3645 "subject"?: string
3646
3647 // SubjectRegExp is the regular expression to match identity used
3648 // for keyless signing, for example the email address.
3649 "subjectRegExp"?: string
3650 }
3651
3652 // Keys specifies one or more public keys.
3653 "keys"?: {
3654 // CTLog (certificate timestamp log) provides a configuration for
3655 // validation of Signed Certificate
3656 // Timestamps (SCTs). If the value is unset, the default behavior
3657 // by Cosign is used.
3658 "ctlog"?: {
3659 // IgnoreSCT defines whether to use the Signed Certificate
3660 // Timestamp (SCT) log to check for a certificate
3661 // timestamp. Default is false. Set to true if this was opted out
3662 // during signing.
3663 "ignoreSCT"?: bool
3664
3665 // PubKey, if set, is used to validate SCTs against a custom
3666 // source.
3667 "pubkey"?: string
3668
3669 // TSACertChain, if set, is the PEM-encoded certificate chain file
3670 // for the RFC3161 timestamp authority. Must
3671 // contain the root CA certificate. Optionally may contain
3672 // intermediate CA certificates, and
3673 // may contain the leaf TSA certificate if not present in the
3674 // timestamurce.
3675 "tsaCertChain"?: string
3676 }
3677
3678 // KMS provides the URI to the public key stored in a Key
3679 // Management System. See:
3680 // https://github.com/sigstore/cosign/blob/main/KMS.md
3681 "kms"?: string
3682
3683 // Keys is a set of X.509 public keys used to verify image
3684 // signatures. The keys can be directly
3685 // specified or can be a variable reference to a key specified in
3686 // a ConfigMap (see
3687 // https://kyverno.io/docs/writing-policies/variables/), or
3688 // reference a standard Kubernetes Secret
3689 // elsewhere in the cluster by specifying it in the format
3690 // "k8s://<namespace>/<secret_name>".
3691 // The named Secret must specify a key `cosign.pub` containing the
3692 // public key used for
3693 // verification, (see
3694 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
3695 // When multiple keys are specified each key is processed as a
3696 // separate staticKey entry
3697 // (.attestors[*].entries.keys) within the set of attestors and
3698 // the count is applied across the keys.
3699 "publicKeys"?: string
3700
3701 // Rekor provides configuration for the Rekor transparency log
3702 // service. If an empty object
3703 // is provided the public instance of Rekor
3704 // (https://rekor.sigstore.dev) is used.
3705 "rekor"?: {
3706 // IgnoreTlog skips transparency log verification.
3707 "ignoreTlog"?: bool
3708
3709 // RekorPubKey is an optional PEM-encoded public key to use for a
3710 // custom Rekor.
3711 // If set, this will be used to validate transparency log
3712 // signatures from a custom Rekor.
3713 "pubkey"?: string
3714
3715 // URL is the address of the transparency log. Defaults to the
3716 // public Rekor log instance https://rekor.sigstore.dev.
3717 "url"?: string
3718 }
3719
3720 // Reference to a Secret resource that contains a public key
3721 "secret"?: {
3722 // Name of the secret. The provided secret must contain a key
3723 // named cosign.pub.
3724 "name"!: string
3725
3726 // Namespace name where the Secret exists.
3727 "namespace"!: string
3728 }
3729
3730 // Deprecated. Use attestor.signatureAlgorithm instead.
3731 "signatureAlgorithm"?: string
3732 }
3733
3734 // Repository is an optional alternate OCI repository to use for
3735 // signatures and attestations that match this rule.
3736 // If specified Repository will override other OCI image
3737 // repository locations for this Attestor.
3738 "repository"?: string
3739
3740 // Specify signature algorithm for public keys. Supported values
3741 // are sha224, sha256, sha384 and sha512.
3742 "signatureAlgorithm"?: string
3743 }]
3744 }]
3745
3746 // Allowed values are Audit or Enforce.
3747 "failureAction"?: "Audit" | "Enforce"
3748
3749 // ImageReferences is a list of matching image reference patterns.
3750 // At least one pattern in the
3751 // list must match the image for the rule to apply. Each image
3752 // reference consists of a registry
3753 // address (defaults to docker.io), repository, image, and tag
3754 // (defaults to latest).
3755 // Wildcards ('*' and '?') are allowed. See:
3756 // https://kubernetes.io/docs/concepts/containers/images.
3757 "imageReferences"?: [...string]
3758
3759 // ImageRegistryCredentials provides credentials that will be used
3760 // for authentication with registry
3761 "imageRegistryCredentials"?: {
3762 // AllowInsecureRegistry allows insecure access to a registry.
3763 "allowInsecureRegistry"?: bool
3764
3765 // Providers specifies a list of OCI Registry names, whose
3766 // authentication providers are provided.
3767 // It can be of one of these values:
3768 // default,google,azure,amazon,github.
3769 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
3770
3771 // Secrets specifies a list of secrets that are provided for
3772 // credentials.
3773 // Secrets must live in the Kyverno namespace.
3774 "secrets"?: [...string]
3775 }
3776
3777 // MutateDigest enables replacement of image tags with digests.
3778 // Defaults to true.
3779 "mutateDigest"?: bool
3780
3781 // Repository is an optional alternate OCI repository to use for
3782 // image signatures and attestations that match this rule.
3783 // If specified Repository will override the default OCI image
3784 // repository configured for the installation.
3785 // The repository can also be overridden per Attestor or
3786 // Attestation.
3787 "repository"?: string
3788
3789 // Required validates that images are verified i.e. have matched
3790 // passed a signature or attestation check.
3791 "required"?: bool
3792
3793 // SkipImageReferences is a list of matching image reference
3794 // patterns that should be skipped.
3795 // At least one pattern in the list must match the image for the
3796 // rule to be skipped. Each image reference
3797 // consists of a registry address (defaults to docker.io),
3798 // repository, image, and tag (defaults to latest).
3799 // Wildcards ('*' and '?') are allowed. See:
3800 // https://kubernetes.io/docs/concepts/containers/images.
3801 "skipImageReferences"?: [...string]
3802
3803 // Type specifies the method of signature validation. The allowed
3804 // options
3805 // are Cosign and Notary. By default Cosign is used if a type is
3806 // not specified.
3807 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
3808
3809 // UseCache enables caching of image verify responses for this
3810 // rule
3811 "useCache"?: bool
3812
3813 // Validation checks conditions across multiple image
3814 // verification attestations or context entries
3815 "validate"?: {
3816 // Deny defines conditions used to pass or fail a validation rule.
3817 "deny"?: {
3818 // Multiple conditions can be declared under an `any` or `all`
3819 // statement. A direct list
3820 // of conditions (without `any` or `all` statements) is also
3821 // supported for backwards compatibility
3822 // but will be deprecated in the next major release.
3823 // See:
3824 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
3825 "conditions"?: null | bool | number | string | [...] | {
3826 ...
3827 }
3828 }
3829
3830 // Message specifies a custom message to be displayed on failure.
3831 "message"?: string
3832 }
3833
3834 // VerifyDigest validates that images have a digest.
3835 "verifyDigest"?: bool
3836 }]
3837 }]
3838
3839 // Deprecated.
3840 "schemaValidation"?: bool
3841
3842 // UseServerSideApply controls whether to use server-side apply
3843 // for generate rules
3844 // If is set to "true" create & update for generate rules will use
3845 // apply instead of create/update.
3846 // Defaults to "false" if not specified.
3847 "useServerSideApply"?: bool
3848
3849 // Deprecated, use validationFailureAction under the validate rule
3850 // instead.
3851 "validationFailureAction"?: "audit" | "enforce" | "Audit" | "Enforce"
3852
3853 // Deprecated, use validationFailureActionOverrides under the
3854 // validate rule instead.
3855 "validationFailureActionOverrides"?: [...{
3856 // ValidationFailureAction defines the policy validation failure
3857 // action
3858 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
3859
3860 // A label selector is a label query over a set of resources. The
3861 // result of matchLabels and
3862 // matchExpressions are ANDed. An empty label selector matches all
3863 // objects. A null
3864 // label selector matches no objects.
3865 "namespaceSelector"?: {
3866 // matchExpressions is a list of label selector requirements. The
3867 // requirements are ANDed.
3868 "matchExpressions"?: [...{
3869 // key is the label key that the selector applies to.
3870 "key"!: string
3871
3872 // operator represents a key's relationship to a set of values.
3873 // Valid operators are In, NotIn, Exists and DoesNotExist.
3874 "operator"!: string
3875
3876 // values is an array of string values. If the operator is In or
3877 // NotIn,
3878 // the values array must be non-empty. If the operator is Exists
3879 // or DoesNotExist,
3880 // the values array must be empty. This array is replaced during a
3881 // strategic
3882 // merge patch.
3883 "values"?: [...string]
3884 }]
3885
3886 // matchLabels is a map of {key,value} pairs. A single {key,value}
3887 // in the matchLabels
3888 // map is equivalent to an element of matchExpressions, whose key
3889 // field is "key", the
3890 // operator is "In", and the values array contains only "value".
3891 // The requirements are ANDed.
3892 "matchLabels"?: {
3893 [string]: string
3894 }
3895 }
3896 "namespaces"?: [...string]
3897 }]
3898
3899 // WebhookConfiguration specifies the custom configuration for
3900 // Kubernetes admission webhookconfiguration.
3901 "webhookConfiguration"?: {
3902 // FailurePolicy defines how unexpected policy errors and webhook
3903 // response timeout errors are handled.
3904 // Rules within the same policy share the same failure behavior.
3905 // This field should not be accessed directly, instead
3906 // `GetFailurePolicy()` should be used.
3907 // Allowed values are Ignore or Fail. Defaults to Fail.
3908 "failurePolicy"?: "Ignore" | "Fail"
3909
3910 // MatchCondition configures admission webhook matchConditions.
3911 // Requires Kubernetes 1.27 or later.
3912 "matchConditions"?: [...{
3913 // Expression represents the expression which will be evaluated by
3914 // CEL. Must evaluate to bool.
3915 // CEL expressions have access to the contents of the
3916 // AdmissionRequest and Authorizer, organized into CEL variables:
3917 //
3918 // 'object' - The object from the incoming request. The value is
3919 // null for DELETE requests.
3920 // 'oldObject' - The existing object. The value is null for CREATE
3921 // requests.
3922 // 'request' - Attributes of the admission
3923 // request(/pkg/apis/admission/types.go#AdmissionRequest).
3924 // 'authorizer' - A CEL Authorizer. May be used to perform
3925 // authorization checks for the principal (user or service
3926 // account) of the request.
3927 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3928 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
3929 // from the 'authorizer' and configured with the
3930 // request resource.
3931 // Documentation on CEL:
3932 // https://kubernetes.io/docs/reference/using-api/cel/
3933 //
3934 // Required.
3935 "expression"!: string
3936
3937 // Name is an identifier for this match condition, used for
3938 // strategic merging of MatchConditions,
3939 // as well as providing an identifier for logging purposes. A good
3940 // name should be descriptive of
3941 // the associated expression.
3942 // Name must be a qualified name consisting of alphanumeric
3943 // characters, '-', '_' or '.', and
3944 // must start and end with an alphanumeric character (e.g.
3945 // 'MyName', or 'my.name', or
3946 // '123-abc', regex used for validation is
3947 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
3948 // optional DNS subdomain prefix and '/' (e.g.
3949 // 'example.com/MyName')
3950 //
3951 // Required.
3952 "name"!: string
3953 }]
3954
3955 // TimeoutSeconds specifies the maximum time in seconds allowed to
3956 // apply this policy.
3957 // After the configured time expires, the admission request may
3958 // fail, or may simply ignore the policy results,
3959 // based on the failure policy. The default timeout is 10s, the
3960 // value must be between 1 and 30 seconds.
3961 "timeoutSeconds"?: int32 & int
3962 }
3963
3964 // Deprecated, use webhookTimeoutSeconds under
3965 // webhookConfiguration instead.
3966 "webhookTimeoutSeconds"?: int32 & int
3967 }
3968
3969 // Status contains policy runtime data.
3970 "status"?: {
3971 // AutogenStatus contains autogen status information.
3972 "autogen"?: {
3973 // Rules is a list of Rule instances. It contains auto generated
3974 // rules added for pod controllers
3975 "rules"?: [...{
3976 // CELPreconditions are used to determine if a policy rule should
3977 // be applied by evaluating a
3978 // set of CEL conditions. It can only be used with the
3979 // validate.cel subrule
3980 "celPreconditions"?: [...{
3981 // Expression represents the expression which will be evaluated by
3982 // CEL. Must evaluate to bool.
3983 // CEL expressions have access to the contents of the
3984 // AdmissionRequest and Authorizer, organized into CEL variables:
3985 //
3986 // 'object' - The object from the incoming request. The value is
3987 // null for DELETE requests.
3988 // 'oldObject' - The existing object. The value is null for CREATE
3989 // requests.
3990 // 'request' - Attributes of the admission
3991 // request(/pkg/apis/admission/types.go#AdmissionRequest).
3992 // 'authorizer' - A CEL Authorizer. May be used to perform
3993 // authorization checks for the principal (user or service
3994 // account) of the request.
3995 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
3996 // 'authorizer.requestResource' - A CEL ResourceCheck constructed
3997 // from the 'authorizer' and configured with the
3998 // request resource.
3999 // Documentation on CEL:
4000 // https://kubernetes.io/docs/reference/using-api/cel/
4001 //
4002 // Required.
4003 "expression"!: string
4004
4005 // Name is an identifier for this match condition, used for
4006 // strategic merging of MatchConditions,
4007 // as well as providing an identifier for logging purposes. A good
4008 // name should be descriptive of
4009 // the associated expression.
4010 // Name must be a qualified name consisting of alphanumeric
4011 // characters, '-', '_' or '.', and
4012 // must start and end with an alphanumeric character (e.g.
4013 // 'MyName', or 'my.name', or
4014 // '123-abc', regex used for validation is
4015 // '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
4016 // optional DNS subdomain prefix and '/' (e.g.
4017 // 'example.com/MyName')
4018 //
4019 // Required.
4020 "name"!: string
4021 }]
4022
4023 // Context defines variables and data sources that can be used
4024 // during rule execution.
4025 "context"?: [...matchN(1, [{
4026 "configMap"!: _
4027 }, {
4028 "apiCall"!: _
4029 }, {
4030 "imageRegistry"!: _
4031 }, {
4032 "variable"!: _
4033 }, {
4034 "globalReference"!: _
4035 }]) & {
4036 // APICall is an HTTP request to the Kubernetes API server, or
4037 // other JSON web service.
4038 // The data returned is stored in the context with the name for
4039 // the context entry.
4040 "apiCall"?: {
4041 // The data object specifies the POST data sent to the server.
4042 // Only applicable when the method field is set to POST.
4043 "data"?: [...{
4044 // Key is a unique identifier for the data value
4045 "key"!: string
4046
4047 // Value is the data value
4048 "value"!: null | bool | number | string | [...] | {
4049 ...
4050 }
4051 }]
4052
4053 // Default is an optional arbitrary JSON object that the context
4054 // value is set to, if the apiCall returns error.
4055 "default"?: null | bool | number | string | [...] | {
4056 ...
4057 }
4058
4059 // JMESPath is an optional JSON Match Expression that can be used
4060 // to
4061 // transform the JSON response returned from the server. For
4062 // example
4063 // a JMESPath of "items | length(@)" applied to the API server
4064 // response
4065 // for the URLPath "/apis/apps/v1/deployments" will return the
4066 // total count
4067 // of deployments across all namespaces.
4068 "jmesPath"?: string
4069
4070 // Method is the HTTP request type (GET or POST). Defaults to GET.
4071 "method"?: "GET" | "POST"
4072
4073 // Service is an API call to a JSON web service.
4074 // This is used for non-Kubernetes API server calls.
4075 // It's mutually exclusive with the URLPath field.
4076 "service"?: {
4077 // CABundle is a PEM encoded CA bundle which will be used to
4078 // validate
4079 // the server certificate.
4080 "caBundle"?: string
4081
4082 // Headers is a list of optional HTTP headers to be included in
4083 // the request.
4084 "headers"?: [...{
4085 // Key is the header key
4086 "key"!: string
4087
4088 // Value is the header value
4089 "value"!: string
4090 }]
4091
4092 // URL is the JSON web service URL. A typical form is
4093 // `https://{service}.{namespace}:{port}/{path}`.
4094 "url"!: string
4095 }
4096
4097 // URLPath is the URL path to be used in the HTTP GET or POST
4098 // request to the
4099 // Kubernetes API server (e.g. "/api/v1/namespaces" or
4100 // "/apis/apps/v1/deployments").
4101 // The format required is the same format used by the `kubectl get
4102 // --raw` command.
4103 // See
4104 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4105 // for details.
4106 // It's mutually exclusive with the Service field.
4107 "urlPath"?: string
4108 }
4109
4110 // ConfigMap is the ConfigMap reference.
4111 "configMap"?: {
4112 // Name is the ConfigMap name.
4113 "name"!: string
4114
4115 // Namespace is the ConfigMap namespace.
4116 "namespace"?: string
4117 }
4118
4119 // GlobalContextEntryReference is a reference to a cached global
4120 // context entry.
4121 "globalReference"?: {
4122 // JMESPath is an optional JSON Match Expression that can be used
4123 // to
4124 // transform the JSON response returned from the server. For
4125 // example
4126 // a JMESPath of "items | length(@)" applied to the API server
4127 // response
4128 // for the URLPath "/apis/apps/v1/deployments" will return the
4129 // total count
4130 // of deployments across all namespaces.
4131 "jmesPath"?: string
4132
4133 // Name of the global context entry
4134 "name"!: string
4135 }
4136
4137 // ImageRegistry defines requests to an OCI/Docker V2 registry to
4138 // fetch image
4139 // details.
4140 "imageRegistry"?: {
4141 // ImageRegistryCredentials provides credentials that will be used
4142 // for authentication with registry
4143 "imageRegistryCredentials"?: {
4144 // AllowInsecureRegistry allows insecure access to a registry.
4145 "allowInsecureRegistry"?: bool
4146
4147 // Providers specifies a list of OCI Registry names, whose
4148 // authentication providers are provided.
4149 // It can be of one of these values:
4150 // default,google,azure,amazon,github.
4151 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4152
4153 // Secrets specifies a list of secrets that are provided for
4154 // credentials.
4155 // Secrets must live in the Kyverno namespace.
4156 "secrets"?: [...string]
4157 }
4158
4159 // JMESPath is an optional JSON Match Expression that can be used
4160 // to
4161 // transform the ImageData struct returned as a result of
4162 // processing
4163 // the image reference.
4164 "jmesPath"?: string
4165
4166 // Reference is image reference to a container image in the
4167 // registry.
4168 // Example: ghcr.io/kyverno/kyverno:latest
4169 "reference"!: string
4170 }
4171
4172 // Name is the variable name.
4173 "name"!: string
4174
4175 // Variable defines an arbitrary JMESPath context variable that
4176 // can be defined inline.
4177 "variable"?: {
4178 // Default is an optional arbitrary JSON object that the variable
4179 // may take if the JMESPath
4180 // expression evaluates to nil
4181 "default"?: null | bool | number | string | [...] | {
4182 ...
4183 }
4184
4185 // JMESPath is an optional JMESPath Expression that can be used to
4186 // transform the variable.
4187 "jmesPath"?: string
4188
4189 // Value is any arbitrary JSON object representable in YAML or
4190 // JSON form.
4191 "value"?: null | bool | number | string | [...] | {
4192 ...
4193 }
4194 }
4195 }]
4196
4197 // ExcludeResources defines when this policy rule should not be
4198 // applied. The exclude
4199 // criteria can include resource information (e.g. kind, name,
4200 // namespace, labels)
4201 // and admission review request information like the name or role.
4202 "exclude"?: matchN(0, [null | bool | number | string | [...] | {
4203 "any"!: _
4204 "all"!: _
4205 }]) & {
4206 // All allows specifying resources which will be ANDed
4207 "all"?: [...{
4208 // ClusterRoles is the list of cluster-wide role names for the
4209 // user.
4210 "clusterRoles"?: [...string]
4211
4212 // ResourceDescription contains information about the resource
4213 // being created or modified.
4214 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4215 "name"!: _
4216 "names"!: _
4217 }]) & {
4218 // Annotations is a map of annotations (key-value pairs of type
4219 // string). Annotation keys
4220 // and values support the wildcard characters "*" (matches zero or
4221 // many characters) and
4222 // "?" (matches at least one character).
4223 "annotations"?: [string]: string
4224
4225 // Kinds is a list of resource kinds.
4226 "kinds"?: [...string]
4227
4228 // Name is the name of the resource. The name supports wildcard
4229 // characters
4230 // "*" (matches zero or many characters) and "?" (at least one
4231 // character).
4232 // NOTE: "Name" is being deprecated in favor of "Names".
4233 "name"?: string
4234
4235 // Names are the names of the resources. Each name supports
4236 // wildcard characters
4237 // "*" (matches zero or many characters) and "?" (at least one
4238 // character).
4239 "names"?: [...string]
4240
4241 // NamespaceSelector is a label selector for the resource
4242 // namespace. Label keys and values
4243 // in `matchLabels` support the wildcard characters `*` (matches
4244 // zero or many characters)
4245 // and `?` (matches one character).Wildcards allows writing label
4246 // selectors like
4247 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4248 // any key and value but
4249 // does not match an empty label set.
4250 "namespaceSelector"?: {
4251 // matchExpressions is a list of label selector requirements. The
4252 // requirements are ANDed.
4253 "matchExpressions"?: [...{
4254 // key is the label key that the selector applies to.
4255 "key"!: string
4256
4257 // operator represents a key's relationship to a set of values.
4258 // Valid operators are In, NotIn, Exists and DoesNotExist.
4259 "operator"!: string
4260
4261 // values is an array of string values. If the operator is In or
4262 // NotIn,
4263 // the values array must be non-empty. If the operator is Exists
4264 // or DoesNotExist,
4265 // the values array must be empty. This array is replaced during a
4266 // strategic
4267 // merge patch.
4268 "values"?: [...string]
4269 }]
4270
4271 // matchLabels is a map of {key,value} pairs. A single {key,value}
4272 // in the matchLabels
4273 // map is equivalent to an element of matchExpressions, whose key
4274 // field is "key", the
4275 // operator is "In", and the values array contains only "value".
4276 // The requirements are ANDed.
4277 "matchLabels"?: {
4278 [string]: string
4279 }
4280 }
4281
4282 // Namespaces is a list of namespaces names. Each name supports
4283 // wildcard characters
4284 // "*" (matches zero or many characters) and "?" (at least one
4285 // character).
4286 "namespaces"?: [...string]
4287
4288 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4289 // "DELETE"], which are used to match a specific action.
4290 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4291
4292 // Selector is a label selector. Label keys and values in
4293 // `matchLabels` support the wildcard
4294 // characters `*` (matches zero or many characters) and `?`
4295 // (matches one character).
4296 // Wildcards allows writing label selectors like
4297 // ["storage.k8s.io/*": "*"]. Note that
4298 // using ["*" : "*"] matches any key and value but does not match
4299 // an empty label set.
4300 "selector"?: {
4301 // matchExpressions is a list of label selector requirements. The
4302 // requirements are ANDed.
4303 "matchExpressions"?: [...{
4304 // key is the label key that the selector applies to.
4305 "key"!: string
4306
4307 // operator represents a key's relationship to a set of values.
4308 // Valid operators are In, NotIn, Exists and DoesNotExist.
4309 "operator"!: string
4310
4311 // values is an array of string values. If the operator is In or
4312 // NotIn,
4313 // the values array must be non-empty. If the operator is Exists
4314 // or DoesNotExist,
4315 // the values array must be empty. This array is replaced during a
4316 // strategic
4317 // merge patch.
4318 "values"?: [...string]
4319 }]
4320
4321 // matchLabels is a map of {key,value} pairs. A single {key,value}
4322 // in the matchLabels
4323 // map is equivalent to an element of matchExpressions, whose key
4324 // field is "key", the
4325 // operator is "In", and the values array contains only "value".
4326 // The requirements are ANDed.
4327 "matchLabels"?: {
4328 [string]: string
4329 }
4330 }
4331 }
4332
4333 // Roles is the list of namespaced role names for the user.
4334 "roles"?: [...string]
4335
4336 // Subjects is the list of subject names like users, user groups,
4337 // and service accounts.
4338 "subjects"?: [...{
4339 // APIGroup holds the API group of the referenced subject.
4340 // Defaults to "" for ServiceAccount subjects.
4341 // Defaults to "rbac.authorization.k8s.io" for User and Group
4342 // subjects.
4343 "apiGroup"?: string
4344
4345 // Kind of object being referenced. Values defined by this API
4346 // group are "User", "Group", and "ServiceAccount".
4347 // If the Authorizer does not recognized the kind value, the
4348 // Authorizer should report an error.
4349 "kind"!: string
4350
4351 // Name of the object being referenced.
4352 "name"!: string
4353
4354 // Namespace of the referenced object. If the object kind is
4355 // non-namespace, such as "User" or "Group", and this value is
4356 // not empty
4357 // the Authorizer should report an error.
4358 "namespace"?: string
4359 }]
4360 }]
4361
4362 // Any allows specifying resources which will be ORed
4363 "any"?: [...{
4364 // ClusterRoles is the list of cluster-wide role names for the
4365 // user.
4366 "clusterRoles"?: [...string]
4367
4368 // ResourceDescription contains information about the resource
4369 // being created or modified.
4370 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4371 "name"!: _
4372 "names"!: _
4373 }]) & {
4374 // Annotations is a map of annotations (key-value pairs of type
4375 // string). Annotation keys
4376 // and values support the wildcard characters "*" (matches zero or
4377 // many characters) and
4378 // "?" (matches at least one character).
4379 "annotations"?: [string]: string
4380
4381 // Kinds is a list of resource kinds.
4382 "kinds"?: [...string]
4383
4384 // Name is the name of the resource. The name supports wildcard
4385 // characters
4386 // "*" (matches zero or many characters) and "?" (at least one
4387 // character).
4388 // NOTE: "Name" is being deprecated in favor of "Names".
4389 "name"?: string
4390
4391 // Names are the names of the resources. Each name supports
4392 // wildcard characters
4393 // "*" (matches zero or many characters) and "?" (at least one
4394 // character).
4395 "names"?: [...string]
4396
4397 // NamespaceSelector is a label selector for the resource
4398 // namespace. Label keys and values
4399 // in `matchLabels` support the wildcard characters `*` (matches
4400 // zero or many characters)
4401 // and `?` (matches one character).Wildcards allows writing label
4402 // selectors like
4403 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4404 // any key and value but
4405 // does not match an empty label set.
4406 "namespaceSelector"?: {
4407 // matchExpressions is a list of label selector requirements. The
4408 // requirements are ANDed.
4409 "matchExpressions"?: [...{
4410 // key is the label key that the selector applies to.
4411 "key"!: string
4412
4413 // operator represents a key's relationship to a set of values.
4414 // Valid operators are In, NotIn, Exists and DoesNotExist.
4415 "operator"!: string
4416
4417 // values is an array of string values. If the operator is In or
4418 // NotIn,
4419 // the values array must be non-empty. If the operator is Exists
4420 // or DoesNotExist,
4421 // the values array must be empty. This array is replaced during a
4422 // strategic
4423 // merge patch.
4424 "values"?: [...string]
4425 }]
4426
4427 // matchLabels is a map of {key,value} pairs. A single {key,value}
4428 // in the matchLabels
4429 // map is equivalent to an element of matchExpressions, whose key
4430 // field is "key", the
4431 // operator is "In", and the values array contains only "value".
4432 // The requirements are ANDed.
4433 "matchLabels"?: {
4434 [string]: string
4435 }
4436 }
4437
4438 // Namespaces is a list of namespaces names. Each name supports
4439 // wildcard characters
4440 // "*" (matches zero or many characters) and "?" (at least one
4441 // character).
4442 "namespaces"?: [...string]
4443
4444 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4445 // "DELETE"], which are used to match a specific action.
4446 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4447
4448 // Selector is a label selector. Label keys and values in
4449 // `matchLabels` support the wildcard
4450 // characters `*` (matches zero or many characters) and `?`
4451 // (matches one character).
4452 // Wildcards allows writing label selectors like
4453 // ["storage.k8s.io/*": "*"]. Note that
4454 // using ["*" : "*"] matches any key and value but does not match
4455 // an empty label set.
4456 "selector"?: {
4457 // matchExpressions is a list of label selector requirements. The
4458 // requirements are ANDed.
4459 "matchExpressions"?: [...{
4460 // key is the label key that the selector applies to.
4461 "key"!: string
4462
4463 // operator represents a key's relationship to a set of values.
4464 // Valid operators are In, NotIn, Exists and DoesNotExist.
4465 "operator"!: string
4466
4467 // values is an array of string values. If the operator is In or
4468 // NotIn,
4469 // the values array must be non-empty. If the operator is Exists
4470 // or DoesNotExist,
4471 // the values array must be empty. This array is replaced during a
4472 // strategic
4473 // merge patch.
4474 "values"?: [...string]
4475 }]
4476
4477 // matchLabels is a map of {key,value} pairs. A single {key,value}
4478 // in the matchLabels
4479 // map is equivalent to an element of matchExpressions, whose key
4480 // field is "key", the
4481 // operator is "In", and the values array contains only "value".
4482 // The requirements are ANDed.
4483 "matchLabels"?: {
4484 [string]: string
4485 }
4486 }
4487 }
4488
4489 // Roles is the list of namespaced role names for the user.
4490 "roles"?: [...string]
4491
4492 // Subjects is the list of subject names like users, user groups,
4493 // and service accounts.
4494 "subjects"?: [...{
4495 // APIGroup holds the API group of the referenced subject.
4496 // Defaults to "" for ServiceAccount subjects.
4497 // Defaults to "rbac.authorization.k8s.io" for User and Group
4498 // subjects.
4499 "apiGroup"?: string
4500
4501 // Kind of object being referenced. Values defined by this API
4502 // group are "User", "Group", and "ServiceAccount".
4503 // If the Authorizer does not recognized the kind value, the
4504 // Authorizer should report an error.
4505 "kind"!: string
4506
4507 // Name of the object being referenced.
4508 "name"!: string
4509
4510 // Namespace of the referenced object. If the object kind is
4511 // non-namespace, such as "User" or "Group", and this value is
4512 // not empty
4513 // the Authorizer should report an error.
4514 "namespace"?: string
4515 }]
4516 }]
4517
4518 // ClusterRoles is the list of cluster-wide role names for the
4519 // user.
4520 "clusterRoles"?: [...string]
4521
4522 // ResourceDescription contains information about the resource
4523 // being created or modified.
4524 // Requires at least one tag to be specified when under
4525 // MatchResources.
4526 // Specifying ResourceDescription directly under match is being
4527 // deprecated.
4528 // Please specify under "any" or "all" instead.
4529 "resources"?: matchN(0, [null | bool | number | string | [...] | {
4530 "name"!: _
4531 "names"!: _
4532 }]) & {
4533 // Annotations is a map of annotations (key-value pairs of type
4534 // string). Annotation keys
4535 // and values support the wildcard characters "*" (matches zero or
4536 // many characters) and
4537 // "?" (matches at least one character).
4538 "annotations"?: [string]: string
4539
4540 // Kinds is a list of resource kinds.
4541 "kinds"?: [...string]
4542
4543 // Name is the name of the resource. The name supports wildcard
4544 // characters
4545 // "*" (matches zero or many characters) and "?" (at least one
4546 // character).
4547 // NOTE: "Name" is being deprecated in favor of "Names".
4548 "name"?: string
4549
4550 // Names are the names of the resources. Each name supports
4551 // wildcard characters
4552 // "*" (matches zero or many characters) and "?" (at least one
4553 // character).
4554 "names"?: [...string]
4555
4556 // NamespaceSelector is a label selector for the resource
4557 // namespace. Label keys and values
4558 // in `matchLabels` support the wildcard characters `*` (matches
4559 // zero or many characters)
4560 // and `?` (matches one character).Wildcards allows writing label
4561 // selectors like
4562 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
4563 // any key and value but
4564 // does not match an empty label set.
4565 "namespaceSelector"?: {
4566 // matchExpressions is a list of label selector requirements. The
4567 // requirements are ANDed.
4568 "matchExpressions"?: [...{
4569 // key is the label key that the selector applies to.
4570 "key"!: string
4571
4572 // operator represents a key's relationship to a set of values.
4573 // Valid operators are In, NotIn, Exists and DoesNotExist.
4574 "operator"!: string
4575
4576 // values is an array of string values. If the operator is In or
4577 // NotIn,
4578 // the values array must be non-empty. If the operator is Exists
4579 // or DoesNotExist,
4580 // the values array must be empty. This array is replaced during a
4581 // strategic
4582 // merge patch.
4583 "values"?: [...string]
4584 }]
4585
4586 // matchLabels is a map of {key,value} pairs. A single {key,value}
4587 // in the matchLabels
4588 // map is equivalent to an element of matchExpressions, whose key
4589 // field is "key", the
4590 // operator is "In", and the values array contains only "value".
4591 // The requirements are ANDed.
4592 "matchLabels"?: {
4593 [string]: string
4594 }
4595 }
4596
4597 // Namespaces is a list of namespaces names. Each name supports
4598 // wildcard characters
4599 // "*" (matches zero or many characters) and "?" (at least one
4600 // character).
4601 "namespaces"?: [...string]
4602
4603 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
4604 // "DELETE"], which are used to match a specific action.
4605 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
4606
4607 // Selector is a label selector. Label keys and values in
4608 // `matchLabels` support the wildcard
4609 // characters `*` (matches zero or many characters) and `?`
4610 // (matches one character).
4611 // Wildcards allows writing label selectors like
4612 // ["storage.k8s.io/*": "*"]. Note that
4613 // using ["*" : "*"] matches any key and value but does not match
4614 // an empty label set.
4615 "selector"?: {
4616 // matchExpressions is a list of label selector requirements. The
4617 // requirements are ANDed.
4618 "matchExpressions"?: [...{
4619 // key is the label key that the selector applies to.
4620 "key"!: string
4621
4622 // operator represents a key's relationship to a set of values.
4623 // Valid operators are In, NotIn, Exists and DoesNotExist.
4624 "operator"!: string
4625
4626 // values is an array of string values. If the operator is In or
4627 // NotIn,
4628 // the values array must be non-empty. If the operator is Exists
4629 // or DoesNotExist,
4630 // the values array must be empty. This array is replaced during a
4631 // strategic
4632 // merge patch.
4633 "values"?: [...string]
4634 }]
4635
4636 // matchLabels is a map of {key,value} pairs. A single {key,value}
4637 // in the matchLabels
4638 // map is equivalent to an element of matchExpressions, whose key
4639 // field is "key", the
4640 // operator is "In", and the values array contains only "value".
4641 // The requirements are ANDed.
4642 "matchLabels"?: {
4643 [string]: string
4644 }
4645 }
4646 }
4647
4648 // Roles is the list of namespaced role names for the user.
4649 "roles"?: [...string]
4650
4651 // Subjects is the list of subject names like users, user groups,
4652 // and service accounts.
4653 "subjects"?: [...{
4654 // APIGroup holds the API group of the referenced subject.
4655 // Defaults to "" for ServiceAccount subjects.
4656 // Defaults to "rbac.authorization.k8s.io" for User and Group
4657 // subjects.
4658 "apiGroup"?: string
4659
4660 // Kind of object being referenced. Values defined by this API
4661 // group are "User", "Group", and "ServiceAccount".
4662 // If the Authorizer does not recognized the kind value, the
4663 // Authorizer should report an error.
4664 "kind"!: string
4665
4666 // Name of the object being referenced.
4667 "name"!: string
4668
4669 // Namespace of the referenced object. If the object kind is
4670 // non-namespace, such as "User" or "Group", and this value is
4671 // not empty
4672 // the Authorizer should report an error.
4673 "namespace"?: string
4674 }]
4675 }
4676
4677 // Generation is used to create new resources.
4678 "generate"?: {
4679 // APIVersion specifies resource apiVersion.
4680 "apiVersion"?: string
4681
4682 // Clone specifies the source resource used to populate each
4683 // generated resource.
4684 // At most one of Data or Clone can be specified. If neither are
4685 // provided, the generated
4686 // resource will be created with default data only.
4687 "clone"?: {
4688 // Name specifies name of the resource.
4689 "name"?: string
4690
4691 // Namespace specifies source resource namespace.
4692 "namespace"?: string
4693 }
4694
4695 // CloneList specifies the list of source resource used to
4696 // populate each generated resource.
4697 "cloneList"?: {
4698 // Kinds is a list of resource kinds.
4699 "kinds"?: [...string]
4700
4701 // Namespace specifies source resource namespace.
4702 "namespace"?: string
4703
4704 // Selector is a label selector. Label keys and values in
4705 // `matchLabels`.
4706 // wildcard characters are not supported.
4707 "selector"?: {
4708 // matchExpressions is a list of label selector requirements. The
4709 // requirements are ANDed.
4710 "matchExpressions"?: [...{
4711 // key is the label key that the selector applies to.
4712 "key"!: string
4713
4714 // operator represents a key's relationship to a set of values.
4715 // Valid operators are In, NotIn, Exists and DoesNotExist.
4716 "operator"!: string
4717
4718 // values is an array of string values. If the operator is In or
4719 // NotIn,
4720 // the values array must be non-empty. If the operator is Exists
4721 // or DoesNotExist,
4722 // the values array must be empty. This array is replaced during a
4723 // strategic
4724 // merge patch.
4725 "values"?: [...string]
4726 }]
4727
4728 // matchLabels is a map of {key,value} pairs. A single {key,value}
4729 // in the matchLabels
4730 // map is equivalent to an element of matchExpressions, whose key
4731 // field is "key", the
4732 // operator is "In", and the values array contains only "value".
4733 // The requirements are ANDed.
4734 "matchLabels"?: {
4735 [string]: string
4736 }
4737 }
4738 }
4739
4740 // Data provides the resource declaration used to populate each
4741 // generated resource.
4742 // At most one of Data or Clone must be specified. If neither are
4743 // provided, the generated
4744 // resource will be created with default data only.
4745 "data"?: null | bool | number | string | [...] | {
4746 ...
4747 }
4748
4749 // ForEach applies generate rules to a list of sub-elements by
4750 // creating a context for each entry in the list and looping over
4751 // it to apply the specified logic.
4752 "foreach"?: [...{
4753 // APIVersion specifies resource apiVersion.
4754 "apiVersion"?: string
4755
4756 // Clone specifies the source resource used to populate each
4757 // generated resource.
4758 // At most one of Data or Clone can be specified. If neither are
4759 // provided, the generated
4760 // resource will be created with default data only.
4761 "clone"?: {
4762 // Name specifies name of the resource.
4763 "name"?: string
4764
4765 // Namespace specifies source resource namespace.
4766 "namespace"?: string
4767 }
4768
4769 // CloneList specifies the list of source resource used to
4770 // populate each generated resource.
4771 "cloneList"?: {
4772 // Kinds is a list of resource kinds.
4773 "kinds"?: [...string]
4774
4775 // Namespace specifies source resource namespace.
4776 "namespace"?: string
4777
4778 // Selector is a label selector. Label keys and values in
4779 // `matchLabels`.
4780 // wildcard characters are not supported.
4781 "selector"?: {
4782 // matchExpressions is a list of label selector requirements. The
4783 // requirements are ANDed.
4784 "matchExpressions"?: [...{
4785 // key is the label key that the selector applies to.
4786 "key"!: string
4787
4788 // operator represents a key's relationship to a set of values.
4789 // Valid operators are In, NotIn, Exists and DoesNotExist.
4790 "operator"!: string
4791
4792 // values is an array of string values. If the operator is In or
4793 // NotIn,
4794 // the values array must be non-empty. If the operator is Exists
4795 // or DoesNotExist,
4796 // the values array must be empty. This array is replaced during a
4797 // strategic
4798 // merge patch.
4799 "values"?: [...string]
4800 }]
4801
4802 // matchLabels is a map of {key,value} pairs. A single {key,value}
4803 // in the matchLabels
4804 // map is equivalent to an element of matchExpressions, whose key
4805 // field is "key", the
4806 // operator is "In", and the values array contains only "value".
4807 // The requirements are ANDed.
4808 "matchLabels"?: {
4809 [string]: string
4810 }
4811 }
4812 }
4813
4814 // Context defines variables and data sources that can be used
4815 // during rule execution.
4816 "context"?: [...matchN(1, [{
4817 "configMap"!: _
4818 }, {
4819 "apiCall"!: _
4820 }, {
4821 "imageRegistry"!: _
4822 }, {
4823 "variable"!: _
4824 }, {
4825 "globalReference"!: _
4826 }]) & {
4827 // APICall is an HTTP request to the Kubernetes API server, or
4828 // other JSON web service.
4829 // The data returned is stored in the context with the name for
4830 // the context entry.
4831 "apiCall"?: {
4832 // The data object specifies the POST data sent to the server.
4833 // Only applicable when the method field is set to POST.
4834 "data"?: [...{
4835 // Key is a unique identifier for the data value
4836 "key"!: string
4837
4838 // Value is the data value
4839 "value"!: null | bool | number | string | [...] | {
4840 ...
4841 }
4842 }]
4843
4844 // Default is an optional arbitrary JSON object that the context
4845 // value is set to, if the apiCall returns error.
4846 "default"?: null | bool | number | string | [...] | {
4847 ...
4848 }
4849
4850 // JMESPath is an optional JSON Match Expression that can be used
4851 // to
4852 // transform the JSON response returned from the server. For
4853 // example
4854 // a JMESPath of "items | length(@)" applied to the API server
4855 // response
4856 // for the URLPath "/apis/apps/v1/deployments" will return the
4857 // total count
4858 // of deployments across all namespaces.
4859 "jmesPath"?: string
4860
4861 // Method is the HTTP request type (GET or POST). Defaults to GET.
4862 "method"?: "GET" | "POST"
4863
4864 // Service is an API call to a JSON web service.
4865 // This is used for non-Kubernetes API server calls.
4866 // It's mutually exclusive with the URLPath field.
4867 "service"?: {
4868 // CABundle is a PEM encoded CA bundle which will be used to
4869 // validate
4870 // the server certificate.
4871 "caBundle"?: string
4872
4873 // Headers is a list of optional HTTP headers to be included in
4874 // the request.
4875 "headers"?: [...{
4876 // Key is the header key
4877 "key"!: string
4878
4879 // Value is the header value
4880 "value"!: string
4881 }]
4882
4883 // URL is the JSON web service URL. A typical form is
4884 // `https://{service}.{namespace}:{port}/{path}`.
4885 "url"!: string
4886 }
4887
4888 // URLPath is the URL path to be used in the HTTP GET or POST
4889 // request to the
4890 // Kubernetes API server (e.g. "/api/v1/namespaces" or
4891 // "/apis/apps/v1/deployments").
4892 // The format required is the same format used by the `kubectl get
4893 // --raw` command.
4894 // See
4895 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
4896 // for details.
4897 // It's mutually exclusive with the Service field.
4898 "urlPath"?: string
4899 }
4900
4901 // ConfigMap is the ConfigMap reference.
4902 "configMap"?: {
4903 // Name is the ConfigMap name.
4904 "name"!: string
4905
4906 // Namespace is the ConfigMap namespace.
4907 "namespace"?: string
4908 }
4909
4910 // GlobalContextEntryReference is a reference to a cached global
4911 // context entry.
4912 "globalReference"?: {
4913 // JMESPath is an optional JSON Match Expression that can be used
4914 // to
4915 // transform the JSON response returned from the server. For
4916 // example
4917 // a JMESPath of "items | length(@)" applied to the API server
4918 // response
4919 // for the URLPath "/apis/apps/v1/deployments" will return the
4920 // total count
4921 // of deployments across all namespaces.
4922 "jmesPath"?: string
4923
4924 // Name of the global context entry
4925 "name"!: string
4926 }
4927
4928 // ImageRegistry defines requests to an OCI/Docker V2 registry to
4929 // fetch image
4930 // details.
4931 "imageRegistry"?: {
4932 // ImageRegistryCredentials provides credentials that will be used
4933 // for authentication with registry
4934 "imageRegistryCredentials"?: {
4935 // AllowInsecureRegistry allows insecure access to a registry.
4936 "allowInsecureRegistry"?: bool
4937
4938 // Providers specifies a list of OCI Registry names, whose
4939 // authentication providers are provided.
4940 // It can be of one of these values:
4941 // default,google,azure,amazon,github.
4942 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
4943
4944 // Secrets specifies a list of secrets that are provided for
4945 // credentials.
4946 // Secrets must live in the Kyverno namespace.
4947 "secrets"?: [...string]
4948 }
4949
4950 // JMESPath is an optional JSON Match Expression that can be used
4951 // to
4952 // transform the ImageData struct returned as a result of
4953 // processing
4954 // the image reference.
4955 "jmesPath"?: string
4956
4957 // Reference is image reference to a container image in the
4958 // registry.
4959 // Example: ghcr.io/kyverno/kyverno:latest
4960 "reference"!: string
4961 }
4962
4963 // Name is the variable name.
4964 "name"!: string
4965
4966 // Variable defines an arbitrary JMESPath context variable that
4967 // can be defined inline.
4968 "variable"?: {
4969 // Default is an optional arbitrary JSON object that the variable
4970 // may take if the JMESPath
4971 // expression evaluates to nil
4972 "default"?: null | bool | number | string | [...] | {
4973 ...
4974 }
4975
4976 // JMESPath is an optional JMESPath Expression that can be used to
4977 // transform the variable.
4978 "jmesPath"?: string
4979
4980 // Value is any arbitrary JSON object representable in YAML or
4981 // JSON form.
4982 "value"?: null | bool | number | string | [...] | {
4983 ...
4984 }
4985 }
4986 }]
4987
4988 // Data provides the resource declaration used to populate each
4989 // generated resource.
4990 // At most one of Data or Clone must be specified. If neither are
4991 // provided, the generated
4992 // resource will be created with default data only.
4993 "data"?: null | bool | number | string | [...] | {
4994 ...
4995 }
4996
4997 // Kind specifies resource kind.
4998 "kind"?: string
4999
5000 // List specifies a JMESPath expression that results in one or
5001 // more elements
5002 // to which the validation logic is applied.
5003 "list"?: string
5004
5005 // Name specifies the resource name.
5006 "name"?: string
5007
5008 // Namespace specifies resource namespace.
5009 "namespace"?: string
5010
5011 // AnyAllConditions are used to determine if a policy rule should
5012 // be applied by evaluating a
5013 // set of conditions. The declaration can contain nested `any` or
5014 // `all` statements.
5015 // See: https://kyverno.io/docs/writing-policies/preconditions/
5016 "preconditions"?: {
5017 // AllConditions enable variable-based conditional rule execution.
5018 // This is useful for
5019 // finer control of when an rule is applied. A condition can
5020 // reference object data
5021 // using JMESPath notation.
5022 // Here, all of the conditions need to pass
5023 "all"?: [...{
5024 // Key is the context entry (using JMESPath) for conditional rule
5025 // evaluation.
5026 "key"?: null | bool | number | string | [...] | {
5027 ...
5028 }
5029
5030 // Message is an optional display message
5031 "message"?: string
5032
5033 // Operator is the conditional operation to perform. Valid
5034 // operators are:
5035 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5036 // GreaterThanOrEquals,
5037 // GreaterThan, LessThanOrEquals, LessThan,
5038 // DurationGreaterThanOrEquals, DurationGreaterThan,
5039 // DurationLessThanOrEquals, DurationLessThan
5040 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5041
5042 // Value is the conditional value, or set of values. The values
5043 // can be fixed set
5044 // or can be variables declared using JMESPath.
5045 "value"?: null | bool | number | string | [...] | {
5046 ...
5047 }
5048 }]
5049
5050 // AnyConditions enable variable-based conditional rule execution.
5051 // This is useful for
5052 // finer control of when an rule is applied. A condition can
5053 // reference object data
5054 // using JMESPath notation.
5055 // Here, at least one of the conditions need to pass
5056 "any"?: [...{
5057 // Key is the context entry (using JMESPath) for conditional rule
5058 // evaluation.
5059 "key"?: null | bool | number | string | [...] | {
5060 ...
5061 }
5062
5063 // Message is an optional display message
5064 "message"?: string
5065
5066 // Operator is the conditional operation to perform. Valid
5067 // operators are:
5068 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5069 // GreaterThanOrEquals,
5070 // GreaterThan, LessThanOrEquals, LessThan,
5071 // DurationGreaterThanOrEquals, DurationGreaterThan,
5072 // DurationLessThanOrEquals, DurationLessThan
5073 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5074
5075 // Value is the conditional value, or set of values. The values
5076 // can be fixed set
5077 // or can be variables declared using JMESPath.
5078 "value"?: null | bool | number | string | [...] | {
5079 ...
5080 }
5081 }]
5082 ...
5083 }
5084
5085 // UID specifies the resource uid.
5086 "uid"?: string
5087 }]
5088
5089 // GenerateExisting controls whether to trigger the rule in
5090 // existing resources
5091 // If is set to "true" the rule will be triggered and applied to
5092 // existing matched resources.
5093 "generateExisting"?: bool
5094
5095 // Kind specifies resource kind.
5096 "kind"?: string
5097
5098 // Name specifies the resource name.
5099 "name"?: string
5100
5101 // Namespace specifies resource namespace.
5102 "namespace"?: string
5103
5104 // OrphanDownstreamOnPolicyDelete controls whether generated
5105 // resources should be deleted when the rule that generated
5106 // them is deleted with synchronization enabled. This option is
5107 // only applicable to generate rules of the data type.
5108 // See
5109 // https://kyverno.io/docs/writing-policies/generate/#data-examples.
5110 // Defaults to "false" if not specified.
5111 "orphanDownstreamOnPolicyDelete"?: bool
5112
5113 // Synchronize controls if generated resources should be kept
5114 // in-sync with their source resource.
5115 // If Synchronize is set to "true" changes to generated resources
5116 // will be overwritten with resource
5117 // data from Data or the resource specified in the Clone
5118 // declaration.
5119 // Optional. Defaults to "false" if not specified.
5120 "synchronize"?: bool
5121
5122 // UID specifies the resource uid.
5123 "uid"?: string
5124 }
5125
5126 // ImageExtractors defines a mapping from kinds to
5127 // ImageExtractorConfigs.
5128 // This config is only valid for verifyImages rules.
5129 "imageExtractors"?: {
5130 [string]: [...{
5131 // JMESPath is an optional JMESPath expression to apply to the
5132 // image value.
5133 // This is useful when the extracted image begins with a prefix
5134 // like 'docker://'.
5135 // The 'trim_prefix' function may be used to trim the prefix:
5136 // trim_prefix(@, 'docker://').
5137 // Note - Image digest mutation may not be used when applying a
5138 // JMESPAth to an image.
5139 "jmesPath"?: string
5140
5141 // Key is an optional name of the field within 'path' that will be
5142 // used to uniquely identify an image.
5143 // Note - this field MUST be unique.
5144 "key"?: string
5145
5146 // Name is the entry the image will be available under
5147 // 'images.<name>' in the context.
5148 // If this field is not defined, image entries will appear under
5149 // 'images.custom'.
5150 "name"?: string
5151
5152 // Path is the path to the object containing the image field in a
5153 // custom resource.
5154 // It should be slash-separated. Each slash-separated key must be
5155 // a valid YAML key or a wildcard '*'.
5156 // Wildcard keys are expanded in case of arrays or objects.
5157 "path"!: string
5158
5159 // Value is an optional name of the field within 'path' that
5160 // points to the image URI.
5161 // This is useful when a custom 'key' is also defined.
5162 "value"?: string
5163 }]
5164 }
5165
5166 // MatchResources defines when this policy rule should be applied.
5167 // The match
5168 // criteria can include resource information (e.g. kind, name,
5169 // namespace, labels)
5170 // and admission review request information like the user name or
5171 // role.
5172 // At least one kind is required.
5173 "match"!: matchN(0, [null | bool | number | string | [...] | {
5174 "any"!: _
5175 "all"!: _
5176 }]) & {
5177 // All allows specifying resources which will be ANDed
5178 "all"?: [...{
5179 // ClusterRoles is the list of cluster-wide role names for the
5180 // user.
5181 "clusterRoles"?: [...string]
5182
5183 // ResourceDescription contains information about the resource
5184 // being created or modified.
5185 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5186 "name"!: _
5187 "names"!: _
5188 }]) & {
5189 // Annotations is a map of annotations (key-value pairs of type
5190 // string). Annotation keys
5191 // and values support the wildcard characters "*" (matches zero or
5192 // many characters) and
5193 // "?" (matches at least one character).
5194 "annotations"?: [string]: string
5195
5196 // Kinds is a list of resource kinds.
5197 "kinds"?: [...string]
5198
5199 // Name is the name of the resource. The name supports wildcard
5200 // characters
5201 // "*" (matches zero or many characters) and "?" (at least one
5202 // character).
5203 // NOTE: "Name" is being deprecated in favor of "Names".
5204 "name"?: string
5205
5206 // Names are the names of the resources. Each name supports
5207 // wildcard characters
5208 // "*" (matches zero or many characters) and "?" (at least one
5209 // character).
5210 "names"?: [...string]
5211
5212 // NamespaceSelector is a label selector for the resource
5213 // namespace. Label keys and values
5214 // in `matchLabels` support the wildcard characters `*` (matches
5215 // zero or many characters)
5216 // and `?` (matches one character).Wildcards allows writing label
5217 // selectors like
5218 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5219 // any key and value but
5220 // does not match an empty label set.
5221 "namespaceSelector"?: {
5222 // matchExpressions is a list of label selector requirements. The
5223 // requirements are ANDed.
5224 "matchExpressions"?: [...{
5225 // key is the label key that the selector applies to.
5226 "key"!: string
5227
5228 // operator represents a key's relationship to a set of values.
5229 // Valid operators are In, NotIn, Exists and DoesNotExist.
5230 "operator"!: string
5231
5232 // values is an array of string values. If the operator is In or
5233 // NotIn,
5234 // the values array must be non-empty. If the operator is Exists
5235 // or DoesNotExist,
5236 // the values array must be empty. This array is replaced during a
5237 // strategic
5238 // merge patch.
5239 "values"?: [...string]
5240 }]
5241
5242 // matchLabels is a map of {key,value} pairs. A single {key,value}
5243 // in the matchLabels
5244 // map is equivalent to an element of matchExpressions, whose key
5245 // field is "key", the
5246 // operator is "In", and the values array contains only "value".
5247 // The requirements are ANDed.
5248 "matchLabels"?: {
5249 [string]: string
5250 }
5251 }
5252
5253 // Namespaces is a list of namespaces names. Each name supports
5254 // wildcard characters
5255 // "*" (matches zero or many characters) and "?" (at least one
5256 // character).
5257 "namespaces"?: [...string]
5258
5259 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5260 // "DELETE"], which are used to match a specific action.
5261 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5262
5263 // Selector is a label selector. Label keys and values in
5264 // `matchLabels` support the wildcard
5265 // characters `*` (matches zero or many characters) and `?`
5266 // (matches one character).
5267 // Wildcards allows writing label selectors like
5268 // ["storage.k8s.io/*": "*"]. Note that
5269 // using ["*" : "*"] matches any key and value but does not match
5270 // an empty label set.
5271 "selector"?: {
5272 // matchExpressions is a list of label selector requirements. The
5273 // requirements are ANDed.
5274 "matchExpressions"?: [...{
5275 // key is the label key that the selector applies to.
5276 "key"!: string
5277
5278 // operator represents a key's relationship to a set of values.
5279 // Valid operators are In, NotIn, Exists and DoesNotExist.
5280 "operator"!: string
5281
5282 // values is an array of string values. If the operator is In or
5283 // NotIn,
5284 // the values array must be non-empty. If the operator is Exists
5285 // or DoesNotExist,
5286 // the values array must be empty. This array is replaced during a
5287 // strategic
5288 // merge patch.
5289 "values"?: [...string]
5290 }]
5291
5292 // matchLabels is a map of {key,value} pairs. A single {key,value}
5293 // in the matchLabels
5294 // map is equivalent to an element of matchExpressions, whose key
5295 // field is "key", the
5296 // operator is "In", and the values array contains only "value".
5297 // The requirements are ANDed.
5298 "matchLabels"?: {
5299 [string]: string
5300 }
5301 }
5302 }
5303
5304 // Roles is the list of namespaced role names for the user.
5305 "roles"?: [...string]
5306
5307 // Subjects is the list of subject names like users, user groups,
5308 // and service accounts.
5309 "subjects"?: [...{
5310 // APIGroup holds the API group of the referenced subject.
5311 // Defaults to "" for ServiceAccount subjects.
5312 // Defaults to "rbac.authorization.k8s.io" for User and Group
5313 // subjects.
5314 "apiGroup"?: string
5315
5316 // Kind of object being referenced. Values defined by this API
5317 // group are "User", "Group", and "ServiceAccount".
5318 // If the Authorizer does not recognized the kind value, the
5319 // Authorizer should report an error.
5320 "kind"!: string
5321
5322 // Name of the object being referenced.
5323 "name"!: string
5324
5325 // Namespace of the referenced object. If the object kind is
5326 // non-namespace, such as "User" or "Group", and this value is
5327 // not empty
5328 // the Authorizer should report an error.
5329 "namespace"?: string
5330 }]
5331 }]
5332
5333 // Any allows specifying resources which will be ORed
5334 "any"?: [...{
5335 // ClusterRoles is the list of cluster-wide role names for the
5336 // user.
5337 "clusterRoles"?: [...string]
5338
5339 // ResourceDescription contains information about the resource
5340 // being created or modified.
5341 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5342 "name"!: _
5343 "names"!: _
5344 }]) & {
5345 // Annotations is a map of annotations (key-value pairs of type
5346 // string). Annotation keys
5347 // and values support the wildcard characters "*" (matches zero or
5348 // many characters) and
5349 // "?" (matches at least one character).
5350 "annotations"?: [string]: string
5351
5352 // Kinds is a list of resource kinds.
5353 "kinds"?: [...string]
5354
5355 // Name is the name of the resource. The name supports wildcard
5356 // characters
5357 // "*" (matches zero or many characters) and "?" (at least one
5358 // character).
5359 // NOTE: "Name" is being deprecated in favor of "Names".
5360 "name"?: string
5361
5362 // Names are the names of the resources. Each name supports
5363 // wildcard characters
5364 // "*" (matches zero or many characters) and "?" (at least one
5365 // character).
5366 "names"?: [...string]
5367
5368 // NamespaceSelector is a label selector for the resource
5369 // namespace. Label keys and values
5370 // in `matchLabels` support the wildcard characters `*` (matches
5371 // zero or many characters)
5372 // and `?` (matches one character).Wildcards allows writing label
5373 // selectors like
5374 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5375 // any key and value but
5376 // does not match an empty label set.
5377 "namespaceSelector"?: {
5378 // matchExpressions is a list of label selector requirements. The
5379 // requirements are ANDed.
5380 "matchExpressions"?: [...{
5381 // key is the label key that the selector applies to.
5382 "key"!: string
5383
5384 // operator represents a key's relationship to a set of values.
5385 // Valid operators are In, NotIn, Exists and DoesNotExist.
5386 "operator"!: string
5387
5388 // values is an array of string values. If the operator is In or
5389 // NotIn,
5390 // the values array must be non-empty. If the operator is Exists
5391 // or DoesNotExist,
5392 // the values array must be empty. This array is replaced during a
5393 // strategic
5394 // merge patch.
5395 "values"?: [...string]
5396 }]
5397
5398 // matchLabels is a map of {key,value} pairs. A single {key,value}
5399 // in the matchLabels
5400 // map is equivalent to an element of matchExpressions, whose key
5401 // field is "key", the
5402 // operator is "In", and the values array contains only "value".
5403 // The requirements are ANDed.
5404 "matchLabels"?: {
5405 [string]: string
5406 }
5407 }
5408
5409 // Namespaces is a list of namespaces names. Each name supports
5410 // wildcard characters
5411 // "*" (matches zero or many characters) and "?" (at least one
5412 // character).
5413 "namespaces"?: [...string]
5414
5415 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5416 // "DELETE"], which are used to match a specific action.
5417 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5418
5419 // Selector is a label selector. Label keys and values in
5420 // `matchLabels` support the wildcard
5421 // characters `*` (matches zero or many characters) and `?`
5422 // (matches one character).
5423 // Wildcards allows writing label selectors like
5424 // ["storage.k8s.io/*": "*"]. Note that
5425 // using ["*" : "*"] matches any key and value but does not match
5426 // an empty label set.
5427 "selector"?: {
5428 // matchExpressions is a list of label selector requirements. The
5429 // requirements are ANDed.
5430 "matchExpressions"?: [...{
5431 // key is the label key that the selector applies to.
5432 "key"!: string
5433
5434 // operator represents a key's relationship to a set of values.
5435 // Valid operators are In, NotIn, Exists and DoesNotExist.
5436 "operator"!: string
5437
5438 // values is an array of string values. If the operator is In or
5439 // NotIn,
5440 // the values array must be non-empty. If the operator is Exists
5441 // or DoesNotExist,
5442 // the values array must be empty. This array is replaced during a
5443 // strategic
5444 // merge patch.
5445 "values"?: [...string]
5446 }]
5447
5448 // matchLabels is a map of {key,value} pairs. A single {key,value}
5449 // in the matchLabels
5450 // map is equivalent to an element of matchExpressions, whose key
5451 // field is "key", the
5452 // operator is "In", and the values array contains only "value".
5453 // The requirements are ANDed.
5454 "matchLabels"?: {
5455 [string]: string
5456 }
5457 }
5458 }
5459
5460 // Roles is the list of namespaced role names for the user.
5461 "roles"?: [...string]
5462
5463 // Subjects is the list of subject names like users, user groups,
5464 // and service accounts.
5465 "subjects"?: [...{
5466 // APIGroup holds the API group of the referenced subject.
5467 // Defaults to "" for ServiceAccount subjects.
5468 // Defaults to "rbac.authorization.k8s.io" for User and Group
5469 // subjects.
5470 "apiGroup"?: string
5471
5472 // Kind of object being referenced. Values defined by this API
5473 // group are "User", "Group", and "ServiceAccount".
5474 // If the Authorizer does not recognized the kind value, the
5475 // Authorizer should report an error.
5476 "kind"!: string
5477
5478 // Name of the object being referenced.
5479 "name"!: string
5480
5481 // Namespace of the referenced object. If the object kind is
5482 // non-namespace, such as "User" or "Group", and this value is
5483 // not empty
5484 // the Authorizer should report an error.
5485 "namespace"?: string
5486 }]
5487 }]
5488
5489 // ClusterRoles is the list of cluster-wide role names for the
5490 // user.
5491 "clusterRoles"?: [...string]
5492
5493 // ResourceDescription contains information about the resource
5494 // being created or modified.
5495 // Requires at least one tag to be specified when under
5496 // MatchResources.
5497 // Specifying ResourceDescription directly under match is being
5498 // deprecated.
5499 // Please specify under "any" or "all" instead.
5500 "resources"?: matchN(0, [null | bool | number | string | [...] | {
5501 "name"!: _
5502 "names"!: _
5503 }]) & {
5504 // Annotations is a map of annotations (key-value pairs of type
5505 // string). Annotation keys
5506 // and values support the wildcard characters "*" (matches zero or
5507 // many characters) and
5508 // "?" (matches at least one character).
5509 "annotations"?: [string]: string
5510
5511 // Kinds is a list of resource kinds.
5512 "kinds"?: [...string]
5513
5514 // Name is the name of the resource. The name supports wildcard
5515 // characters
5516 // "*" (matches zero or many characters) and "?" (at least one
5517 // character).
5518 // NOTE: "Name" is being deprecated in favor of "Names".
5519 "name"?: string
5520
5521 // Names are the names of the resources. Each name supports
5522 // wildcard characters
5523 // "*" (matches zero or many characters) and "?" (at least one
5524 // character).
5525 "names"?: [...string]
5526
5527 // NamespaceSelector is a label selector for the resource
5528 // namespace. Label keys and values
5529 // in `matchLabels` support the wildcard characters `*` (matches
5530 // zero or many characters)
5531 // and `?` (matches one character).Wildcards allows writing label
5532 // selectors like
5533 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
5534 // any key and value but
5535 // does not match an empty label set.
5536 "namespaceSelector"?: {
5537 // matchExpressions is a list of label selector requirements. The
5538 // requirements are ANDed.
5539 "matchExpressions"?: [...{
5540 // key is the label key that the selector applies to.
5541 "key"!: string
5542
5543 // operator represents a key's relationship to a set of values.
5544 // Valid operators are In, NotIn, Exists and DoesNotExist.
5545 "operator"!: string
5546
5547 // values is an array of string values. If the operator is In or
5548 // NotIn,
5549 // the values array must be non-empty. If the operator is Exists
5550 // or DoesNotExist,
5551 // the values array must be empty. This array is replaced during a
5552 // strategic
5553 // merge patch.
5554 "values"?: [...string]
5555 }]
5556
5557 // matchLabels is a map of {key,value} pairs. A single {key,value}
5558 // in the matchLabels
5559 // map is equivalent to an element of matchExpressions, whose key
5560 // field is "key", the
5561 // operator is "In", and the values array contains only "value".
5562 // The requirements are ANDed.
5563 "matchLabels"?: {
5564 [string]: string
5565 }
5566 }
5567
5568 // Namespaces is a list of namespaces names. Each name supports
5569 // wildcard characters
5570 // "*" (matches zero or many characters) and "?" (at least one
5571 // character).
5572 "namespaces"?: [...string]
5573
5574 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
5575 // "DELETE"], which are used to match a specific action.
5576 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
5577
5578 // Selector is a label selector. Label keys and values in
5579 // `matchLabels` support the wildcard
5580 // characters `*` (matches zero or many characters) and `?`
5581 // (matches one character).
5582 // Wildcards allows writing label selectors like
5583 // ["storage.k8s.io/*": "*"]. Note that
5584 // using ["*" : "*"] matches any key and value but does not match
5585 // an empty label set.
5586 "selector"?: {
5587 // matchExpressions is a list of label selector requirements. The
5588 // requirements are ANDed.
5589 "matchExpressions"?: [...{
5590 // key is the label key that the selector applies to.
5591 "key"!: string
5592
5593 // operator represents a key's relationship to a set of values.
5594 // Valid operators are In, NotIn, Exists and DoesNotExist.
5595 "operator"!: string
5596
5597 // values is an array of string values. If the operator is In or
5598 // NotIn,
5599 // the values array must be non-empty. If the operator is Exists
5600 // or DoesNotExist,
5601 // the values array must be empty. This array is replaced during a
5602 // strategic
5603 // merge patch.
5604 "values"?: [...string]
5605 }]
5606
5607 // matchLabels is a map of {key,value} pairs. A single {key,value}
5608 // in the matchLabels
5609 // map is equivalent to an element of matchExpressions, whose key
5610 // field is "key", the
5611 // operator is "In", and the values array contains only "value".
5612 // The requirements are ANDed.
5613 "matchLabels"?: {
5614 [string]: string
5615 }
5616 }
5617 }
5618
5619 // Roles is the list of namespaced role names for the user.
5620 "roles"?: [...string]
5621
5622 // Subjects is the list of subject names like users, user groups,
5623 // and service accounts.
5624 "subjects"?: [...{
5625 // APIGroup holds the API group of the referenced subject.
5626 // Defaults to "" for ServiceAccount subjects.
5627 // Defaults to "rbac.authorization.k8s.io" for User and Group
5628 // subjects.
5629 "apiGroup"?: string
5630
5631 // Kind of object being referenced. Values defined by this API
5632 // group are "User", "Group", and "ServiceAccount".
5633 // If the Authorizer does not recognized the kind value, the
5634 // Authorizer should report an error.
5635 "kind"!: string
5636
5637 // Name of the object being referenced.
5638 "name"!: string
5639
5640 // Namespace of the referenced object. If the object kind is
5641 // non-namespace, such as "User" or "Group", and this value is
5642 // not empty
5643 // the Authorizer should report an error.
5644 "namespace"?: string
5645 }]
5646 }
5647
5648 // Mutation is used to modify matching resources.
5649 "mutate"?: {
5650 // ForEach applies mutation rules to a list of sub-elements by
5651 // creating a context for each entry in the list and looping over
5652 // it to apply the specified logic.
5653 "foreach"?: [...{
5654 // Context defines variables and data sources that can be used
5655 // during rule execution.
5656 "context"?: [...matchN(1, [{
5657 "configMap"!: _
5658 }, {
5659 "apiCall"!: _
5660 }, {
5661 "imageRegistry"!: _
5662 }, {
5663 "variable"!: _
5664 }, {
5665 "globalReference"!: _
5666 }]) & {
5667 // APICall is an HTTP request to the Kubernetes API server, or
5668 // other JSON web service.
5669 // The data returned is stored in the context with the name for
5670 // the context entry.
5671 "apiCall"?: {
5672 // The data object specifies the POST data sent to the server.
5673 // Only applicable when the method field is set to POST.
5674 "data"?: [...{
5675 // Key is a unique identifier for the data value
5676 "key"!: string
5677
5678 // Value is the data value
5679 "value"!: null | bool | number | string | [...] | {
5680 ...
5681 }
5682 }]
5683
5684 // Default is an optional arbitrary JSON object that the context
5685 // value is set to, if the apiCall returns error.
5686 "default"?: null | bool | number | string | [...] | {
5687 ...
5688 }
5689
5690 // JMESPath is an optional JSON Match Expression that can be used
5691 // to
5692 // transform the JSON response returned from the server. For
5693 // example
5694 // a JMESPath of "items | length(@)" applied to the API server
5695 // response
5696 // for the URLPath "/apis/apps/v1/deployments" will return the
5697 // total count
5698 // of deployments across all namespaces.
5699 "jmesPath"?: string
5700
5701 // Method is the HTTP request type (GET or POST). Defaults to GET.
5702 "method"?: "GET" | "POST"
5703
5704 // Service is an API call to a JSON web service.
5705 // This is used for non-Kubernetes API server calls.
5706 // It's mutually exclusive with the URLPath field.
5707 "service"?: {
5708 // CABundle is a PEM encoded CA bundle which will be used to
5709 // validate
5710 // the server certificate.
5711 "caBundle"?: string
5712
5713 // Headers is a list of optional HTTP headers to be included in
5714 // the request.
5715 "headers"?: [...{
5716 // Key is the header key
5717 "key"!: string
5718
5719 // Value is the header value
5720 "value"!: string
5721 }]
5722
5723 // URL is the JSON web service URL. A typical form is
5724 // `https://{service}.{namespace}:{port}/{path}`.
5725 "url"!: string
5726 }
5727
5728 // URLPath is the URL path to be used in the HTTP GET or POST
5729 // request to the
5730 // Kubernetes API server (e.g. "/api/v1/namespaces" or
5731 // "/apis/apps/v1/deployments").
5732 // The format required is the same format used by the `kubectl get
5733 // --raw` command.
5734 // See
5735 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
5736 // for details.
5737 // It's mutually exclusive with the Service field.
5738 "urlPath"?: string
5739 }
5740
5741 // ConfigMap is the ConfigMap reference.
5742 "configMap"?: {
5743 // Name is the ConfigMap name.
5744 "name"!: string
5745
5746 // Namespace is the ConfigMap namespace.
5747 "namespace"?: string
5748 }
5749
5750 // GlobalContextEntryReference is a reference to a cached global
5751 // context entry.
5752 "globalReference"?: {
5753 // JMESPath is an optional JSON Match Expression that can be used
5754 // to
5755 // transform the JSON response returned from the server. For
5756 // example
5757 // a JMESPath of "items | length(@)" applied to the API server
5758 // response
5759 // for the URLPath "/apis/apps/v1/deployments" will return the
5760 // total count
5761 // of deployments across all namespaces.
5762 "jmesPath"?: string
5763
5764 // Name of the global context entry
5765 "name"!: string
5766 }
5767
5768 // ImageRegistry defines requests to an OCI/Docker V2 registry to
5769 // fetch image
5770 // details.
5771 "imageRegistry"?: {
5772 // ImageRegistryCredentials provides credentials that will be used
5773 // for authentication with registry
5774 "imageRegistryCredentials"?: {
5775 // AllowInsecureRegistry allows insecure access to a registry.
5776 "allowInsecureRegistry"?: bool
5777
5778 // Providers specifies a list of OCI Registry names, whose
5779 // authentication providers are provided.
5780 // It can be of one of these values:
5781 // default,google,azure,amazon,github.
5782 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
5783
5784 // Secrets specifies a list of secrets that are provided for
5785 // credentials.
5786 // Secrets must live in the Kyverno namespace.
5787 "secrets"?: [...string]
5788 }
5789
5790 // JMESPath is an optional JSON Match Expression that can be used
5791 // to
5792 // transform the ImageData struct returned as a result of
5793 // processing
5794 // the image reference.
5795 "jmesPath"?: string
5796
5797 // Reference is image reference to a container image in the
5798 // registry.
5799 // Example: ghcr.io/kyverno/kyverno:latest
5800 "reference"!: string
5801 }
5802
5803 // Name is the variable name.
5804 "name"!: string
5805
5806 // Variable defines an arbitrary JMESPath context variable that
5807 // can be defined inline.
5808 "variable"?: {
5809 // Default is an optional arbitrary JSON object that the variable
5810 // may take if the JMESPath
5811 // expression evaluates to nil
5812 "default"?: null | bool | number | string | [...] | {
5813 ...
5814 }
5815
5816 // JMESPath is an optional JMESPath Expression that can be used to
5817 // transform the variable.
5818 "jmesPath"?: string
5819
5820 // Value is any arbitrary JSON object representable in YAML or
5821 // JSON form.
5822 "value"?: null | bool | number | string | [...] | {
5823 ...
5824 }
5825 }
5826 }]
5827
5828 // Foreach declares a nested foreach iterator
5829 "foreach"?: null | bool | number | string | [...] | {
5830 ...
5831 }
5832
5833 // List specifies a JMESPath expression that results in one or
5834 // more elements
5835 // to which the validation logic is applied.
5836 "list"?: string
5837
5838 // Order defines the iteration order on the list.
5839 // Can be Ascending to iterate from first to last element or
5840 // Descending to iterate in from last to first element.
5841 "order"?: "Ascending" | "Descending"
5842
5843 // PatchStrategicMerge is a strategic merge patch used to modify
5844 // resources.
5845 // See
5846 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5847 // and
5848 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5849 "patchStrategicMerge"?: null | bool | number | string | [...] | {
5850 ...
5851 }
5852
5853 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5854 // used to modify resources.
5855 // See https://tools.ietf.org/html/rfc6902 and
5856 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5857 "patchesJson6902"?: string
5858
5859 // AnyAllConditions are used to determine if a policy rule should
5860 // be applied by evaluating a
5861 // set of conditions. The declaration can contain nested `any` or
5862 // `all` statements.
5863 // See: https://kyverno.io/docs/writing-policies/preconditions/
5864 "preconditions"?: {
5865 // AllConditions enable variable-based conditional rule execution.
5866 // This is useful for
5867 // finer control of when an rule is applied. A condition can
5868 // reference object data
5869 // using JMESPath notation.
5870 // Here, all of the conditions need to pass
5871 "all"?: [...{
5872 // Key is the context entry (using JMESPath) for conditional rule
5873 // evaluation.
5874 "key"?: null | bool | number | string | [...] | {
5875 ...
5876 }
5877
5878 // Message is an optional display message
5879 "message"?: string
5880
5881 // Operator is the conditional operation to perform. Valid
5882 // operators are:
5883 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5884 // GreaterThanOrEquals,
5885 // GreaterThan, LessThanOrEquals, LessThan,
5886 // DurationGreaterThanOrEquals, DurationGreaterThan,
5887 // DurationLessThanOrEquals, DurationLessThan
5888 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5889
5890 // Value is the conditional value, or set of values. The values
5891 // can be fixed set
5892 // or can be variables declared using JMESPath.
5893 "value"?: null | bool | number | string | [...] | {
5894 ...
5895 }
5896 }]
5897
5898 // AnyConditions enable variable-based conditional rule execution.
5899 // This is useful for
5900 // finer control of when an rule is applied. A condition can
5901 // reference object data
5902 // using JMESPath notation.
5903 // Here, at least one of the conditions need to pass
5904 "any"?: [...{
5905 // Key is the context entry (using JMESPath) for conditional rule
5906 // evaluation.
5907 "key"?: null | bool | number | string | [...] | {
5908 ...
5909 }
5910
5911 // Message is an optional display message
5912 "message"?: string
5913
5914 // Operator is the conditional operation to perform. Valid
5915 // operators are:
5916 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
5917 // GreaterThanOrEquals,
5918 // GreaterThan, LessThanOrEquals, LessThan,
5919 // DurationGreaterThanOrEquals, DurationGreaterThan,
5920 // DurationLessThanOrEquals, DurationLessThan
5921 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
5922
5923 // Value is the conditional value, or set of values. The values
5924 // can be fixed set
5925 // or can be variables declared using JMESPath.
5926 "value"?: null | bool | number | string | [...] | {
5927 ...
5928 }
5929 }]
5930 ...
5931 }
5932 }]
5933
5934 // MutateExistingOnPolicyUpdate controls if the mutateExisting
5935 // rule will be applied on policy events.
5936 "mutateExistingOnPolicyUpdate"?: bool
5937
5938 // PatchStrategicMerge is a strategic merge patch used to modify
5939 // resources.
5940 // See
5941 // https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
5942 // and
5943 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
5944 "patchStrategicMerge"?: null | bool | number | string | [...] | {
5945 ...
5946 }
5947
5948 // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations
5949 // used to modify resources.
5950 // See https://tools.ietf.org/html/rfc6902 and
5951 // https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
5952 "patchesJson6902"?: string
5953
5954 // Targets defines the target resources to be mutated.
5955 "targets"?: [...{
5956 // APIVersion specifies resource apiVersion.
5957 "apiVersion"?: string
5958
5959 // Context defines variables and data sources that can be used
5960 // during rule execution.
5961 "context"?: [...matchN(1, [{
5962 "configMap"!: _
5963 }, {
5964 "apiCall"!: _
5965 }, {
5966 "imageRegistry"!: _
5967 }, {
5968 "variable"!: _
5969 }, {
5970 "globalReference"!: _
5971 }]) & {
5972 // APICall is an HTTP request to the Kubernetes API server, or
5973 // other JSON web service.
5974 // The data returned is stored in the context with the name for
5975 // the context entry.
5976 "apiCall"?: {
5977 // The data object specifies the POST data sent to the server.
5978 // Only applicable when the method field is set to POST.
5979 "data"?: [...{
5980 // Key is a unique identifier for the data value
5981 "key"!: string
5982
5983 // Value is the data value
5984 "value"!: null | bool | number | string | [...] | {
5985 ...
5986 }
5987 }]
5988
5989 // Default is an optional arbitrary JSON object that the context
5990 // value is set to, if the apiCall returns error.
5991 "default"?: null | bool | number | string | [...] | {
5992 ...
5993 }
5994
5995 // JMESPath is an optional JSON Match Expression that can be used
5996 // to
5997 // transform the JSON response returned from the server. For
5998 // example
5999 // a JMESPath of "items | length(@)" applied to the API server
6000 // response
6001 // for the URLPath "/apis/apps/v1/deployments" will return the
6002 // total count
6003 // of deployments across all namespaces.
6004 "jmesPath"?: string
6005
6006 // Method is the HTTP request type (GET or POST). Defaults to GET.
6007 "method"?: "GET" | "POST"
6008
6009 // Service is an API call to a JSON web service.
6010 // This is used for non-Kubernetes API server calls.
6011 // It's mutually exclusive with the URLPath field.
6012 "service"?: {
6013 // CABundle is a PEM encoded CA bundle which will be used to
6014 // validate
6015 // the server certificate.
6016 "caBundle"?: string
6017
6018 // Headers is a list of optional HTTP headers to be included in
6019 // the request.
6020 "headers"?: [...{
6021 // Key is the header key
6022 "key"!: string
6023
6024 // Value is the header value
6025 "value"!: string
6026 }]
6027
6028 // URL is the JSON web service URL. A typical form is
6029 // `https://{service}.{namespace}:{port}/{path}`.
6030 "url"!: string
6031 }
6032
6033 // URLPath is the URL path to be used in the HTTP GET or POST
6034 // request to the
6035 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6036 // "/apis/apps/v1/deployments").
6037 // The format required is the same format used by the `kubectl get
6038 // --raw` command.
6039 // See
6040 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6041 // for details.
6042 // It's mutually exclusive with the Service field.
6043 "urlPath"?: string
6044 }
6045
6046 // ConfigMap is the ConfigMap reference.
6047 "configMap"?: {
6048 // Name is the ConfigMap name.
6049 "name"!: string
6050
6051 // Namespace is the ConfigMap namespace.
6052 "namespace"?: string
6053 }
6054
6055 // GlobalContextEntryReference is a reference to a cached global
6056 // context entry.
6057 "globalReference"?: {
6058 // JMESPath is an optional JSON Match Expression that can be used
6059 // to
6060 // transform the JSON response returned from the server. For
6061 // example
6062 // a JMESPath of "items | length(@)" applied to the API server
6063 // response
6064 // for the URLPath "/apis/apps/v1/deployments" will return the
6065 // total count
6066 // of deployments across all namespaces.
6067 "jmesPath"?: string
6068
6069 // Name of the global context entry
6070 "name"!: string
6071 }
6072
6073 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6074 // fetch image
6075 // details.
6076 "imageRegistry"?: {
6077 // ImageRegistryCredentials provides credentials that will be used
6078 // for authentication with registry
6079 "imageRegistryCredentials"?: {
6080 // AllowInsecureRegistry allows insecure access to a registry.
6081 "allowInsecureRegistry"?: bool
6082
6083 // Providers specifies a list of OCI Registry names, whose
6084 // authentication providers are provided.
6085 // It can be of one of these values:
6086 // default,google,azure,amazon,github.
6087 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6088
6089 // Secrets specifies a list of secrets that are provided for
6090 // credentials.
6091 // Secrets must live in the Kyverno namespace.
6092 "secrets"?: [...string]
6093 }
6094
6095 // JMESPath is an optional JSON Match Expression that can be used
6096 // to
6097 // transform the ImageData struct returned as a result of
6098 // processing
6099 // the image reference.
6100 "jmesPath"?: string
6101
6102 // Reference is image reference to a container image in the
6103 // registry.
6104 // Example: ghcr.io/kyverno/kyverno:latest
6105 "reference"!: string
6106 }
6107
6108 // Name is the variable name.
6109 "name"!: string
6110
6111 // Variable defines an arbitrary JMESPath context variable that
6112 // can be defined inline.
6113 "variable"?: {
6114 // Default is an optional arbitrary JSON object that the variable
6115 // may take if the JMESPath
6116 // expression evaluates to nil
6117 "default"?: null | bool | number | string | [...] | {
6118 ...
6119 }
6120
6121 // JMESPath is an optional JMESPath Expression that can be used to
6122 // transform the variable.
6123 "jmesPath"?: string
6124
6125 // Value is any arbitrary JSON object representable in YAML or
6126 // JSON form.
6127 "value"?: null | bool | number | string | [...] | {
6128 ...
6129 }
6130 }
6131 }]
6132
6133 // Kind specifies resource kind.
6134 "kind"?: string
6135
6136 // Name specifies the resource name.
6137 "name"?: string
6138
6139 // Namespace specifies resource namespace.
6140 "namespace"?: string
6141
6142 // Preconditions are used to determine if a policy rule should be
6143 // applied by evaluating a
6144 // set of conditions. The declaration can contain nested `any` or
6145 // `all` statements. A direct list
6146 // of conditions (without `any` or `all` statements is supported
6147 // for backwards compatibility but
6148 // will be deprecated in the next major release.
6149 // See: https://kyverno.io/docs/writing-policies/preconditions/
6150 "preconditions"?: null | bool | number | string | [...] | {
6151 ...
6152 }
6153
6154 // Selector allows you to select target resources with their
6155 // labels.
6156 "selector"?: {
6157 // matchExpressions is a list of label selector requirements. The
6158 // requirements are ANDed.
6159 "matchExpressions"?: [...{
6160 // key is the label key that the selector applies to.
6161 "key"!: string
6162
6163 // operator represents a key's relationship to a set of values.
6164 // Valid operators are In, NotIn, Exists and DoesNotExist.
6165 "operator"!: string
6166
6167 // values is an array of string values. If the operator is In or
6168 // NotIn,
6169 // the values array must be non-empty. If the operator is Exists
6170 // or DoesNotExist,
6171 // the values array must be empty. This array is replaced during a
6172 // strategic
6173 // merge patch.
6174 "values"?: [...string]
6175 }]
6176
6177 // matchLabels is a map of {key,value} pairs. A single {key,value}
6178 // in the matchLabels
6179 // map is equivalent to an element of matchExpressions, whose key
6180 // field is "key", the
6181 // operator is "In", and the values array contains only "value".
6182 // The requirements are ANDed.
6183 "matchLabels"?: {
6184 [string]: string
6185 }
6186 }
6187
6188 // UID specifies the resource uid.
6189 "uid"?: string
6190 }]
6191 }
6192
6193 // Name is a label to identify the rule, It must be unique within
6194 // the policy.
6195 "name"!: strings.MaxRunes(
6196 63)
6197
6198 // Preconditions are used to determine if a policy rule should be
6199 // applied by evaluating a
6200 // set of conditions. The declaration can contain nested `any` or
6201 // `all` statements. A direct list
6202 // of conditions (without `any` or `all` statements is supported
6203 // for backwards compatibility but
6204 // will be deprecated in the next major release.
6205 // See: https://kyverno.io/docs/writing-policies/preconditions/
6206 "preconditions"?: null | bool | number | string | [...] | {
6207 ...
6208 }
6209
6210 // ReportProperties are the additional properties from the rule
6211 // that will be added to the policy report result
6212 "reportProperties"?: {
6213 [string]: string
6214 }
6215
6216 // SkipBackgroundRequests bypasses admission requests that are
6217 // sent by the background controller.
6218 // The default value is set to "true", it must be set to "false"
6219 // to apply
6220 // generate and mutateExisting rules to those requests.
6221 "skipBackgroundRequests"?: bool
6222
6223 // Validation is used to validate matching resources.
6224 "validate"?: {
6225 // AllowExistingViolations allows prexisting violating resources
6226 // to continue violating a policy.
6227 "allowExistingViolations"?: bool
6228
6229 // AnyPattern specifies list of validation patterns. At least one
6230 // of the patterns
6231 // must be satisfied for the validation rule to succeed.
6232 "anyPattern"?: null | bool | number | string | [...] | {
6233 ...
6234 }
6235
6236 // Assert defines a kyverno-json assertion tree.
6237 "assert"?: {
6238 ...
6239 }
6240
6241 // CEL allows validation checks using the Common Expression
6242 // Language
6243 // (https://kubernetes.io/docs/reference/using-api/cel/).
6244 "cel"?: {
6245 // AuditAnnotations contains CEL expressions which are used to
6246 // produce audit annotations for the audit event of the API
6247 // request.
6248 "auditAnnotations"?: [...{
6249 // key specifies the audit annotation key. The audit annotation
6250 // keys of
6251 // a ValidatingAdmissionPolicy must be unique. The key must be a
6252 // qualified
6253 // name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in
6254 // length.
6255 //
6256 // The key is combined with the resource name of the
6257 // ValidatingAdmissionPolicy to construct an audit annotation key:
6258 // "{ValidatingAdmissionPolicy name}/{key}".
6259 //
6260 // If an admission webhook uses the same resource name as this
6261 // ValidatingAdmissionPolicy
6262 // and the same audit annotation key, the annotation key will be
6263 // identical.
6264 // In this case, the first annotation written with the key will be
6265 // included
6266 // in the audit event and all subsequent annotations with the same
6267 // key
6268 // will be discarded.
6269 //
6270 // Required.
6271 "key"!: string
6272
6273 // valueExpression represents the expression which is evaluated by
6274 // CEL to
6275 // produce an audit annotation value. The expression must evaluate
6276 // to either
6277 // a string or null value. If the expression evaluates to a
6278 // string, the
6279 // audit annotation is included with the string value. If the
6280 // expression
6281 // evaluates to null or empty string the audit annotation will be
6282 // omitted.
6283 // The valueExpression may be no longer than 5kb in length.
6284 // If the result of the valueExpression is more than 10kb in
6285 // length, it
6286 // will be truncated to 10kb.
6287 //
6288 // If multiple ValidatingAdmissionPolicyBinding resources match an
6289 // API request, then the valueExpression will be evaluated for
6290 // each binding. All unique values produced by the
6291 // valueExpressions
6292 // will be joined together in a comma-separated list.
6293 //
6294 // Required.
6295 "valueExpression"!: string
6296 }]
6297
6298 // Expressions is a list of CELExpression types.
6299 "expressions"?: [...{
6300 // Expression represents the expression which will be evaluated by
6301 // CEL.
6302 // ref: https://github.com/google/cel-spec
6303 // CEL expressions have access to the contents of the API
6304 // request/response, organized into CEL variables as well as some
6305 // other useful variables:
6306 //
6307 // - 'object' - The object from the incoming request. The value is
6308 // null for DELETE requests.
6309 // - 'oldObject' - The existing object. The value is null for
6310 // CREATE requests.
6311 // - 'request' - Attributes of the API
6312 // request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).
6313 // - 'params' - Parameter resource referred to by the policy
6314 // binding being evaluated. Only populated if the policy has a
6315 // ParamKind.
6316 // - 'namespaceObject' - The namespace object that the incoming
6317 // object belongs to. The value is null for cluster-scoped
6318 // resources.
6319 // - 'variables' - Map of composited variables, from its name to
6320 // its lazily evaluated value.
6321 // For example, a variable named 'foo' can be accessed as
6322 // 'variables.foo'.
6323 // - 'authorizer' - A CEL Authorizer. May be used to perform
6324 // authorization checks for the principal (user or service
6325 // account) of the request.
6326 // See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
6327 // - 'authorizer.requestResource' - A CEL ResourceCheck
6328 // constructed from the 'authorizer' and configured with the
6329 // request resource.
6330 //
6331 // The `apiVersion`, `kind`, `metadata.name` and
6332 // `metadata.generateName` are always accessible from the root of
6333 // the
6334 // object. No other metadata properties are accessible.
6335 //
6336 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
6337 // are accessible.
6338 // Accessible property names are escaped according to the
6339 // following rules when accessed in the expression:
6340 // - '__' escapes to '__underscores__'
6341 // - '.' escapes to '__dot__'
6342 // - '-' escapes to '__dash__'
6343 // - '/' escapes to '__slash__'
6344 // - Property names that exactly match a CEL RESERVED keyword
6345 // escape to '__{keyword}__'. The keywords are:
6346 // "true", "false", "null", "in", "as", "break", "const",
6347 // "continue", "else", "for", "function", "if",
6348 // "import", "let", "loop", "package", "namespace", "return".
6349 // Examples:
6350 // - Expression accessing a property named "namespace":
6351 // {"Expression": "object.__namespace__ > 0"}
6352 // - Expression accessing a property named "x-prop":
6353 // {"Expression": "object.x__dash__prop > 0"}
6354 // - Expression accessing a property named "redact__d":
6355 // {"Expression": "object.redact__underscores__d > 0"}
6356 //
6357 // Equality on arrays with list type of 'set' or 'map' ignores
6358 // element order, i.e. [1, 2] == [2, 1].
6359 // Concatenation on arrays with x-kubernetes-list-type use the
6360 // semantics of the list type:
6361 // - 'set': `X + Y` performs a union where the array positions of
6362 // all elements in `X` are preserved and
6363 // non-intersecting elements in `Y` are appended, retaining their
6364 // partial order.
6365 // - 'map': `X + Y` performs a merge where the array positions of
6366 // all keys in `X` are preserved but the values
6367 // are overwritten by values in `Y` when the key sets of `X` and
6368 // `Y` intersect. Elements in `Y` with
6369 // non-intersecting keys are appended, retaining their partial
6370 // order.
6371 // Required.
6372 "expression"!: string
6373
6374 // Message represents the message displayed when validation fails.
6375 // The message is required if the Expression contains
6376 // line breaks. The message must not contain line breaks.
6377 // If unset, the message is "failed rule: {Rule}".
6378 // e.g. "must be a URL with the host matching spec.host"
6379 // If the Expression contains line breaks. Message is required.
6380 // The message must not contain line breaks.
6381 // If unset, the message is "failed Expression: {Expression}".
6382 "message"?: string
6383
6384 // messageExpression declares a CEL expression that evaluates to
6385 // the validation failure message that is returned when this rule
6386 // fails.
6387 // Since messageExpression is used as a failure message, it must
6388 // evaluate to a string.
6389 // If both message and messageExpression are present on a
6390 // validation, then messageExpression will be used if validation
6391 // fails.
6392 // If messageExpression results in a runtime error, the runtime
6393 // error is logged, and the validation failure message is
6394 // produced
6395 // as if the messageExpression field were unset. If
6396 // messageExpression evaluates to an empty string, a string with
6397 // only spaces, or a string
6398 // that contains line breaks, then the validation failure message
6399 // will also be produced as if the messageExpression field were
6400 // unset, and
6401 // the fact that messageExpression produced an empty string/string
6402 // with only spaces/string with line breaks will be logged.
6403 // messageExpression has access to all the same variables as the
6404 // `expression` except for 'authorizer' and
6405 // 'authorizer.requestResource'.
6406 // Example:
6407 // "object.x must be less than max ("+string(params.max)+")"
6408 "messageExpression"?: string
6409
6410 // Reason represents a machine-readable description of why this
6411 // validation failed.
6412 // If this is the first validation in the list to fail, this
6413 // reason, as well as the
6414 // corresponding HTTP response code, are used in the
6415 // HTTP response to the client.
6416 // The currently supported reasons are: "Unauthorized",
6417 // "Forbidden", "Invalid", "RequestEntityTooLarge".
6418 // If not set, StatusReasonInvalid is used in the response to the
6419 // client.
6420 "reason"?: string
6421 }]
6422
6423 // ParamKind is a tuple of Group Kind and Version.
6424 "paramKind"?: {
6425 // APIVersion is the API group version the resources belong to.
6426 // In format of "group/version".
6427 // Required.
6428 "apiVersion"?: string
6429
6430 // Kind is the API kind the resources belong to.
6431 // Required.
6432 "kind"?: string
6433 }
6434
6435 // ParamRef references a parameter resource.
6436 "paramRef"?: {
6437 // name is the name of the resource being referenced.
6438 //
6439 // One of `name` or `selector` must be set, but `name` and
6440 // `selector` are
6441 // mutually exclusive properties. If one is set, the other must be
6442 // unset.
6443 //
6444 // A single parameter used for all admission requests can be
6445 // configured
6446 // by setting the `name` field, leaving `selector` blank, and
6447 // setting namespace
6448 // if `paramKind` is namespace-scoped.
6449 "name"?: string
6450
6451 // namespace is the namespace of the referenced resource. Allows
6452 // limiting
6453 // the search for params to a specific namespace. Applies to both
6454 // `name` and
6455 // `selector` fields.
6456 //
6457 // A per-namespace parameter may be used by specifying a
6458 // namespace-scoped
6459 // `paramKind` in the policy and leaving this field empty.
6460 //
6461 // - If `paramKind` is cluster-scoped, this field MUST be unset.
6462 // Setting this
6463 // field results in a configuration error.
6464 //
6465 // - If `paramKind` is namespace-scoped, the namespace of the
6466 // object being
6467 // evaluated for admission will be used when this field is left
6468 // unset. Take
6469 // care that if this is left empty the binding must not match any
6470 // cluster-scoped
6471 // resources, which will result in an error.
6472 "namespace"?: string
6473
6474 // `parameterNotFoundAction` controls the behavior of the binding
6475 // when the resource
6476 // exists, and name or selector is valid, but there are no
6477 // parameters
6478 // matched by the binding. If the value is set to `Allow`, then no
6479 // matched parameters will be treated as successful validation by
6480 // the binding.
6481 // If set to `Deny`, then no matched parameters will be subject to
6482 // the
6483 // `failurePolicy` of the policy.
6484 //
6485 // Allowed values are `Allow` or `Deny`
6486 //
6487 // Required
6488 "parameterNotFoundAction"?: string
6489
6490 // selector can be used to match multiple param objects based on
6491 // their labels.
6492 // Supply selector: {} to match all resources of the ParamKind.
6493 //
6494 // If multiple params are found, they are all evaluated with the
6495 // policy expressions
6496 // and the results are ANDed together.
6497 //
6498 // One of `name` or `selector` must be set, but `name` and
6499 // `selector` are
6500 // mutually exclusive properties. If one is set, the other must be
6501 // unset.
6502 "selector"?: {
6503 // matchExpressions is a list of label selector requirements. The
6504 // requirements are ANDed.
6505 "matchExpressions"?: [...{
6506 // key is the label key that the selector applies to.
6507 "key"!: string
6508
6509 // operator represents a key's relationship to a set of values.
6510 // Valid operators are In, NotIn, Exists and DoesNotExist.
6511 "operator"!: string
6512
6513 // values is an array of string values. If the operator is In or
6514 // NotIn,
6515 // the values array must be non-empty. If the operator is Exists
6516 // or DoesNotExist,
6517 // the values array must be empty. This array is replaced during a
6518 // strategic
6519 // merge patch.
6520 "values"?: [...string]
6521 }]
6522
6523 // matchLabels is a map of {key,value} pairs. A single {key,value}
6524 // in the matchLabels
6525 // map is equivalent to an element of matchExpressions, whose key
6526 // field is "key", the
6527 // operator is "In", and the values array contains only "value".
6528 // The requirements are ANDed.
6529 "matchLabels"?: {
6530 [string]: string
6531 }
6532 }
6533 }
6534
6535 // Variables contain definitions of variables that can be used in
6536 // composition of other expressions.
6537 // Each variable is defined as a named CEL expression.
6538 // The variables defined here will be available under `variables`
6539 // in other expressions of the policy.
6540 "variables"?: [...{
6541 // Expression is the expression that will be evaluated as the
6542 // value of the variable.
6543 // The CEL expression has access to the same identifiers as the
6544 // CEL expressions in Validation.
6545 "expression"!: string
6546
6547 // Name is the name of the variable. The name must be a valid CEL
6548 // identifier and unique among all variables.
6549 // The variable can be accessed in other expressions through
6550 // `variables`
6551 // For example, if name is "foo", the variable will be available
6552 // as `variables.foo`
6553 "name"!: string
6554 }]
6555 }
6556
6557 // Deny defines conditions used to pass or fail a validation rule.
6558 "deny"?: {
6559 // Multiple conditions can be declared under an `any` or `all`
6560 // statement. A direct list
6561 // of conditions (without `any` or `all` statements) is also
6562 // supported for backwards compatibility
6563 // but will be deprecated in the next major release.
6564 // See:
6565 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
6566 "conditions"?: null | bool | number | string | [...] | {
6567 ...
6568 }
6569 }
6570
6571 // FailureAction defines if a validation policy rule violation
6572 // should block
6573 // the admission review request (Enforce), or allow (Audit) the
6574 // admission review request
6575 // and report an error in a policy report. Optional.
6576 // Allowed values are Audit or Enforce.
6577 "failureAction"?: "Audit" | "Enforce"
6578
6579 // FailureActionOverrides is a Cluster Policy attribute that
6580 // specifies FailureAction
6581 // namespace-wise. It overrides FailureAction for the specified
6582 // namespaces.
6583 "failureActionOverrides"?: [...{
6584 // ValidationFailureAction defines the policy validation failure
6585 // action
6586 "action"?: "audit" | "enforce" | "Audit" | "Enforce"
6587
6588 // A label selector is a label query over a set of resources. The
6589 // result of matchLabels and
6590 // matchExpressions are ANDed. An empty label selector matches all
6591 // objects. A null
6592 // label selector matches no objects.
6593 "namespaceSelector"?: {
6594 // matchExpressions is a list of label selector requirements. The
6595 // requirements are ANDed.
6596 "matchExpressions"?: [...{
6597 // key is the label key that the selector applies to.
6598 "key"!: string
6599
6600 // operator represents a key's relationship to a set of values.
6601 // Valid operators are In, NotIn, Exists and DoesNotExist.
6602 "operator"!: string
6603
6604 // values is an array of string values. If the operator is In or
6605 // NotIn,
6606 // the values array must be non-empty. If the operator is Exists
6607 // or DoesNotExist,
6608 // the values array must be empty. This array is replaced during a
6609 // strategic
6610 // merge patch.
6611 "values"?: [...string]
6612 }]
6613
6614 // matchLabels is a map of {key,value} pairs. A single {key,value}
6615 // in the matchLabels
6616 // map is equivalent to an element of matchExpressions, whose key
6617 // field is "key", the
6618 // operator is "In", and the values array contains only "value".
6619 // The requirements are ANDed.
6620 "matchLabels"?: {
6621 [string]: string
6622 }
6623 }
6624 "namespaces"?: [...string]
6625 }]
6626
6627 // ForEach applies validate rules to a list of sub-elements by
6628 // creating a context for each entry in the list and looping over
6629 // it to apply the specified logic.
6630 "foreach"?: [...{
6631 // AnyPattern specifies list of validation patterns. At least one
6632 // of the patterns
6633 // must be satisfied for the validation rule to succeed.
6634 "anyPattern"?: null | bool | number | string | [...] | {
6635 ...
6636 }
6637
6638 // Context defines variables and data sources that can be used
6639 // during rule execution.
6640 "context"?: [...matchN(1, [{
6641 "configMap"!: _
6642 }, {
6643 "apiCall"!: _
6644 }, {
6645 "imageRegistry"!: _
6646 }, {
6647 "variable"!: _
6648 }, {
6649 "globalReference"!: _
6650 }]) & {
6651 // APICall is an HTTP request to the Kubernetes API server, or
6652 // other JSON web service.
6653 // The data returned is stored in the context with the name for
6654 // the context entry.
6655 "apiCall"?: {
6656 // The data object specifies the POST data sent to the server.
6657 // Only applicable when the method field is set to POST.
6658 "data"?: [...{
6659 // Key is a unique identifier for the data value
6660 "key"!: string
6661
6662 // Value is the data value
6663 "value"!: null | bool | number | string | [...] | {
6664 ...
6665 }
6666 }]
6667
6668 // Default is an optional arbitrary JSON object that the context
6669 // value is set to, if the apiCall returns error.
6670 "default"?: null | bool | number | string | [...] | {
6671 ...
6672 }
6673
6674 // JMESPath is an optional JSON Match Expression that can be used
6675 // to
6676 // transform the JSON response returned from the server. For
6677 // example
6678 // a JMESPath of "items | length(@)" applied to the API server
6679 // response
6680 // for the URLPath "/apis/apps/v1/deployments" will return the
6681 // total count
6682 // of deployments across all namespaces.
6683 "jmesPath"?: string
6684
6685 // Method is the HTTP request type (GET or POST). Defaults to GET.
6686 "method"?: "GET" | "POST"
6687
6688 // Service is an API call to a JSON web service.
6689 // This is used for non-Kubernetes API server calls.
6690 // It's mutually exclusive with the URLPath field.
6691 "service"?: {
6692 // CABundle is a PEM encoded CA bundle which will be used to
6693 // validate
6694 // the server certificate.
6695 "caBundle"?: string
6696
6697 // Headers is a list of optional HTTP headers to be included in
6698 // the request.
6699 "headers"?: [...{
6700 // Key is the header key
6701 "key"!: string
6702
6703 // Value is the header value
6704 "value"!: string
6705 }]
6706
6707 // URL is the JSON web service URL. A typical form is
6708 // `https://{service}.{namespace}:{port}/{path}`.
6709 "url"!: string
6710 }
6711
6712 // URLPath is the URL path to be used in the HTTP GET or POST
6713 // request to the
6714 // Kubernetes API server (e.g. "/api/v1/namespaces" or
6715 // "/apis/apps/v1/deployments").
6716 // The format required is the same format used by the `kubectl get
6717 // --raw` command.
6718 // See
6719 // https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
6720 // for details.
6721 // It's mutually exclusive with the Service field.
6722 "urlPath"?: string
6723 }
6724
6725 // ConfigMap is the ConfigMap reference.
6726 "configMap"?: {
6727 // Name is the ConfigMap name.
6728 "name"!: string
6729
6730 // Namespace is the ConfigMap namespace.
6731 "namespace"?: string
6732 }
6733
6734 // GlobalContextEntryReference is a reference to a cached global
6735 // context entry.
6736 "globalReference"?: {
6737 // JMESPath is an optional JSON Match Expression that can be used
6738 // to
6739 // transform the JSON response returned from the server. For
6740 // example
6741 // a JMESPath of "items | length(@)" applied to the API server
6742 // response
6743 // for the URLPath "/apis/apps/v1/deployments" will return the
6744 // total count
6745 // of deployments across all namespaces.
6746 "jmesPath"?: string
6747
6748 // Name of the global context entry
6749 "name"!: string
6750 }
6751
6752 // ImageRegistry defines requests to an OCI/Docker V2 registry to
6753 // fetch image
6754 // details.
6755 "imageRegistry"?: {
6756 // ImageRegistryCredentials provides credentials that will be used
6757 // for authentication with registry
6758 "imageRegistryCredentials"?: {
6759 // AllowInsecureRegistry allows insecure access to a registry.
6760 "allowInsecureRegistry"?: bool
6761
6762 // Providers specifies a list of OCI Registry names, whose
6763 // authentication providers are provided.
6764 // It can be of one of these values:
6765 // default,google,azure,amazon,github.
6766 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
6767
6768 // Secrets specifies a list of secrets that are provided for
6769 // credentials.
6770 // Secrets must live in the Kyverno namespace.
6771 "secrets"?: [...string]
6772 }
6773
6774 // JMESPath is an optional JSON Match Expression that can be used
6775 // to
6776 // transform the ImageData struct returned as a result of
6777 // processing
6778 // the image reference.
6779 "jmesPath"?: string
6780
6781 // Reference is image reference to a container image in the
6782 // registry.
6783 // Example: ghcr.io/kyverno/kyverno:latest
6784 "reference"!: string
6785 }
6786
6787 // Name is the variable name.
6788 "name"!: string
6789
6790 // Variable defines an arbitrary JMESPath context variable that
6791 // can be defined inline.
6792 "variable"?: {
6793 // Default is an optional arbitrary JSON object that the variable
6794 // may take if the JMESPath
6795 // expression evaluates to nil
6796 "default"?: null | bool | number | string | [...] | {
6797 ...
6798 }
6799
6800 // JMESPath is an optional JMESPath Expression that can be used to
6801 // transform the variable.
6802 "jmesPath"?: string
6803
6804 // Value is any arbitrary JSON object representable in YAML or
6805 // JSON form.
6806 "value"?: null | bool | number | string | [...] | {
6807 ...
6808 }
6809 }
6810 }]
6811
6812 // Deny defines conditions used to pass or fail a validation rule.
6813 "deny"?: {
6814 // Multiple conditions can be declared under an `any` or `all`
6815 // statement. A direct list
6816 // of conditions (without `any` or `all` statements) is also
6817 // supported for backwards compatibility
6818 // but will be deprecated in the next major release.
6819 // See:
6820 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
6821 "conditions"?: null | bool | number | string | [...] | {
6822 ...
6823 }
6824 }
6825
6826 // ElementScope specifies whether to use the current list element
6827 // as the scope for validation. Defaults to "true" if not
6828 // specified.
6829 // When set to "false", "request.object" is used as the validation
6830 // scope within the foreach
6831 // block to allow referencing other elements in the subtree.
6832 "elementScope"?: bool
6833
6834 // Foreach declares a nested foreach iterator
6835 "foreach"?: null | bool | number | string | [...] | {
6836 ...
6837 }
6838
6839 // List specifies a JMESPath expression that results in one or
6840 // more elements
6841 // to which the validation logic is applied.
6842 "list"?: string
6843
6844 // Pattern specifies an overlay-style pattern used to check
6845 // resources.
6846 "pattern"?: null | bool | number | string | [...] | {
6847 ...
6848 }
6849
6850 // AnyAllConditions are used to determine if a policy rule should
6851 // be applied by evaluating a
6852 // set of conditions. The declaration can contain nested `any` or
6853 // `all` statements.
6854 // See: https://kyverno.io/docs/writing-policies/preconditions/
6855 "preconditions"?: {
6856 // AllConditions enable variable-based conditional rule execution.
6857 // This is useful for
6858 // finer control of when an rule is applied. A condition can
6859 // reference object data
6860 // using JMESPath notation.
6861 // Here, all of the conditions need to pass
6862 "all"?: [...{
6863 // Key is the context entry (using JMESPath) for conditional rule
6864 // evaluation.
6865 "key"?: null | bool | number | string | [...] | {
6866 ...
6867 }
6868
6869 // Message is an optional display message
6870 "message"?: string
6871
6872 // Operator is the conditional operation to perform. Valid
6873 // operators are:
6874 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6875 // GreaterThanOrEquals,
6876 // GreaterThan, LessThanOrEquals, LessThan,
6877 // DurationGreaterThanOrEquals, DurationGreaterThan,
6878 // DurationLessThanOrEquals, DurationLessThan
6879 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6880
6881 // Value is the conditional value, or set of values. The values
6882 // can be fixed set
6883 // or can be variables declared using JMESPath.
6884 "value"?: null | bool | number | string | [...] | {
6885 ...
6886 }
6887 }]
6888
6889 // AnyConditions enable variable-based conditional rule execution.
6890 // This is useful for
6891 // finer control of when an rule is applied. A condition can
6892 // reference object data
6893 // using JMESPath notation.
6894 // Here, at least one of the conditions need to pass
6895 "any"?: [...{
6896 // Key is the context entry (using JMESPath) for conditional rule
6897 // evaluation.
6898 "key"?: null | bool | number | string | [...] | {
6899 ...
6900 }
6901
6902 // Message is an optional display message
6903 "message"?: string
6904
6905 // Operator is the conditional operation to perform. Valid
6906 // operators are:
6907 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
6908 // GreaterThanOrEquals,
6909 // GreaterThan, LessThanOrEquals, LessThan,
6910 // DurationGreaterThanOrEquals, DurationGreaterThan,
6911 // DurationLessThanOrEquals, DurationLessThan
6912 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
6913
6914 // Value is the conditional value, or set of values. The values
6915 // can be fixed set
6916 // or can be variables declared using JMESPath.
6917 "value"?: null | bool | number | string | [...] | {
6918 ...
6919 }
6920 }]
6921 ...
6922 }
6923 }]
6924
6925 // Manifest specifies conditions for manifest verification
6926 "manifests"?: {
6927 // AnnotationDomain is custom domain of annotation for message and
6928 // signature. Default is "cosign.sigstore.dev".
6929 "annotationDomain"?: string
6930
6931 // Attestors specified the required attestors (i.e. authorities)
6932 "attestors"?: [...{
6933 // Count specifies the required number of entries that must match.
6934 // If the count is null, all entries must match
6935 // (a logical AND). If the count is 1, at least one entry must
6936 // match (a logical OR). If the count contains a
6937 // value N, then N must be less than or equal to the size of
6938 // entries, and at least N entries must match.
6939 "count"?: int & >=1
6940
6941 // Entries contains the available attestors. An attestor can be a
6942 // static key,
6943 // attributes for keyless verification, or a nested attestor
6944 // declaration.
6945 "entries"?: [...{
6946 // Annotations are used for image verification.
6947 // Every specified key-value pair must exist and match in the
6948 // verified payload.
6949 // The payload may contain other key-value pairs.
6950 "annotations"?: [string]: string
6951
6952 // Attestor is a nested set of Attestor used to specify a more
6953 // complex set of match authorities.
6954 "attestor"?: null | bool | number | string | [...] | {
6955 ...
6956 }
6957
6958 // Certificates specifies one or more certificates.
6959 "certificates"?: {
6960 // Cert is an optional PEM-encoded public certificate.
6961 "cert"?: string
6962
6963 // CertChain is an optional PEM encoded set of certificates used
6964 // to verify.
6965 "certChain"?: string
6966
6967 // CTLog (certificate timestamp log) provides a configuration for
6968 // validation of Signed Certificate
6969 // Timestamps (SCTs). If the value is unset, the default behavior
6970 // by Cosign is used.
6971 "ctlog"?: {
6972 // IgnoreSCT defines whether to use the Signed Certificate
6973 // Timestamp (SCT) log to check for a certificate
6974 // timestamp. Default is false. Set to true if this was opted out
6975 // during signing.
6976 "ignoreSCT"?: bool
6977
6978 // PubKey, if set, is used to validate SCTs against a custom
6979 // source.
6980 "pubkey"?: string
6981
6982 // TSACertChain, if set, is the PEM-encoded certificate chain file
6983 // for the RFC3161 timestamp authority. Must
6984 // contain the root CA certificate. Optionally may contain
6985 // intermediate CA certificates, and
6986 // may contain the leaf TSA certificate if not present in the
6987 // timestamurce.
6988 "tsaCertChain"?: string
6989 }
6990
6991 // Rekor provides configuration for the Rekor transparency log
6992 // service. If an empty object
6993 // is provided the public instance of Rekor
6994 // (https://rekor.sigstore.dev) is used.
6995 "rekor"?: {
6996 // IgnoreTlog skips transparency log verification.
6997 "ignoreTlog"?: bool
6998
6999 // RekorPubKey is an optional PEM-encoded public key to use for a
7000 // custom Rekor.
7001 // If set, this will be used to validate transparency log
7002 // signatures from a custom Rekor.
7003 "pubkey"?: string
7004
7005 // URL is the address of the transparency log. Defaults to the
7006 // public Rekor log instance https://rekor.sigstore.dev.
7007 "url"?: string
7008 }
7009 }
7010
7011 // Keyless is a set of attribute used to verify a Sigstore keyless
7012 // attestor.
7013 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7014 "keyless"?: {
7015 // AdditionalExtensions are certificate-extensions used for
7016 // keyless signing.
7017 "additionalExtensions"?: [string]: string
7018
7019 // CTLog (certificate timestamp log) provides a configuration for
7020 // validation of Signed Certificate
7021 // Timestamps (SCTs). If the value is unset, the default behavior
7022 // by Cosign is used.
7023 "ctlog"?: {
7024 // IgnoreSCT defines whether to use the Signed Certificate
7025 // Timestamp (SCT) log to check for a certificate
7026 // timestamp. Default is false. Set to true if this was opted out
7027 // during signing.
7028 "ignoreSCT"?: bool
7029
7030 // PubKey, if set, is used to validate SCTs against a custom
7031 // source.
7032 "pubkey"?: string
7033
7034 // TSACertChain, if set, is the PEM-encoded certificate chain file
7035 // for the RFC3161 timestamp authority. Must
7036 // contain the root CA certificate. Optionally may contain
7037 // intermediate CA certificates, and
7038 // may contain the leaf TSA certificate if not present in the
7039 // timestamurce.
7040 "tsaCertChain"?: string
7041 }
7042
7043 // Issuer is the certificate issuer used for keyless signing.
7044 "issuer"?: string
7045
7046 // IssuerRegExp is the regular expression to match certificate
7047 // issuer used for keyless signing.
7048 "issuerRegExp"?: string
7049
7050 // Rekor provides configuration for the Rekor transparency log
7051 // service. If an empty object
7052 // is provided the public instance of Rekor
7053 // (https://rekor.sigstore.dev) is used.
7054 "rekor"?: {
7055 // IgnoreTlog skips transparency log verification.
7056 "ignoreTlog"?: bool
7057
7058 // RekorPubKey is an optional PEM-encoded public key to use for a
7059 // custom Rekor.
7060 // If set, this will be used to validate transparency log
7061 // signatures from a custom Rekor.
7062 "pubkey"?: string
7063
7064 // URL is the address of the transparency log. Defaults to the
7065 // public Rekor log instance https://rekor.sigstore.dev.
7066 "url"?: string
7067 }
7068
7069 // Roots is an optional set of PEM encoded trusted root
7070 // certificates.
7071 // If not provided, the system roots are used.
7072 "roots"?: string
7073
7074 // Subject is the verified identity used for keyless signing, for
7075 // example the email address.
7076 "subject"?: string
7077
7078 // SubjectRegExp is the regular expression to match identity used
7079 // for keyless signing, for example the email address.
7080 "subjectRegExp"?: string
7081 }
7082
7083 // Keys specifies one or more public keys.
7084 "keys"?: {
7085 // CTLog (certificate timestamp log) provides a configuration for
7086 // validation of Signed Certificate
7087 // Timestamps (SCTs). If the value is unset, the default behavior
7088 // by Cosign is used.
7089 "ctlog"?: {
7090 // IgnoreSCT defines whether to use the Signed Certificate
7091 // Timestamp (SCT) log to check for a certificate
7092 // timestamp. Default is false. Set to true if this was opted out
7093 // during signing.
7094 "ignoreSCT"?: bool
7095
7096 // PubKey, if set, is used to validate SCTs against a custom
7097 // source.
7098 "pubkey"?: string
7099
7100 // TSACertChain, if set, is the PEM-encoded certificate chain file
7101 // for the RFC3161 timestamp authority. Must
7102 // contain the root CA certificate. Optionally may contain
7103 // intermediate CA certificates, and
7104 // may contain the leaf TSA certificate if not present in the
7105 // timestamurce.
7106 "tsaCertChain"?: string
7107 }
7108
7109 // KMS provides the URI to the public key stored in a Key
7110 // Management System. See:
7111 // https://github.com/sigstore/cosign/blob/main/KMS.md
7112 "kms"?: string
7113
7114 // Keys is a set of X.509 public keys used to verify image
7115 // signatures. The keys can be directly
7116 // specified or can be a variable reference to a key specified in
7117 // a ConfigMap (see
7118 // https://kyverno.io/docs/writing-policies/variables/), or
7119 // reference a standard Kubernetes Secret
7120 // elsewhere in the cluster by specifying it in the format
7121 // "k8s://<namespace>/<secret_name>".
7122 // The named Secret must specify a key `cosign.pub` containing the
7123 // public key used for
7124 // verification, (see
7125 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7126 // When multiple keys are specified each key is processed as a
7127 // separate staticKey entry
7128 // (.attestors[*].entries.keys) within the set of attestors and
7129 // the count is applied across the keys.
7130 "publicKeys"?: string
7131
7132 // Rekor provides configuration for the Rekor transparency log
7133 // service. If an empty object
7134 // is provided the public instance of Rekor
7135 // (https://rekor.sigstore.dev) is used.
7136 "rekor"?: {
7137 // IgnoreTlog skips transparency log verification.
7138 "ignoreTlog"?: bool
7139
7140 // RekorPubKey is an optional PEM-encoded public key to use for a
7141 // custom Rekor.
7142 // If set, this will be used to validate transparency log
7143 // signatures from a custom Rekor.
7144 "pubkey"?: string
7145
7146 // URL is the address of the transparency log. Defaults to the
7147 // public Rekor log instance https://rekor.sigstore.dev.
7148 "url"?: string
7149 }
7150
7151 // Reference to a Secret resource that contains a public key
7152 "secret"?: {
7153 // Name of the secret. The provided secret must contain a key
7154 // named cosign.pub.
7155 "name"!: string
7156
7157 // Namespace name where the Secret exists.
7158 "namespace"!: string
7159 }
7160
7161 // Deprecated. Use attestor.signatureAlgorithm instead.
7162 "signatureAlgorithm"?: string
7163 }
7164
7165 // Repository is an optional alternate OCI repository to use for
7166 // signatures and attestations that match this rule.
7167 // If specified Repository will override other OCI image
7168 // repository locations for this Attestor.
7169 "repository"?: string
7170
7171 // Specify signature algorithm for public keys. Supported values
7172 // are sha224, sha256, sha384 and sha512.
7173 "signatureAlgorithm"?: string
7174 }]
7175 }]
7176
7177 // DryRun configuration
7178 "dryRun"?: {
7179 "enable"?: bool
7180 "namespace"?: string
7181 }
7182
7183 // Fields which will be ignored while comparing manifests.
7184 "ignoreFields"?: [...{
7185 "fields"?: [...string]
7186 "objects"?: [...{
7187 "group"?: string
7188 "kind"?: string
7189 "name"?: string
7190 "namespace"?: string
7191 "version"?: string
7192 }]
7193 }]
7194
7195 // Repository is an optional alternate OCI repository to use for
7196 // resource bundle reference.
7197 // The repository can be overridden per Attestor or Attestation.
7198 "repository"?: string
7199 }
7200
7201 // Message specifies a custom message to be displayed on failure.
7202 "message"?: string
7203
7204 // Pattern specifies an overlay-style pattern used to check
7205 // resources.
7206 "pattern"?: null | bool | number | string | [...] | {
7207 ...
7208 }
7209
7210 // PodSecurity applies exemptions for Kubernetes Pod Security
7211 // admission
7212 // by specifying exclusions for Pod Security Standards controls.
7213 "podSecurity"?: {
7214 // Exclude specifies the Pod Security Standard controls to be
7215 // excluded.
7216 "exclude"?: [...{
7217 // ControlName specifies the name of the Pod Security Standard
7218 // control.
7219 // See:
7220 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
7221 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
7222
7223 // Images selects matching containers and applies the container
7224 // level PSS.
7225 // Each image is the image name consisting of the registry
7226 // address, repository, image, and tag.
7227 // Empty list matches no containers, PSS checks are applied at the
7228 // pod level only.
7229 // Wildcards ('*' and '?') are allowed. See:
7230 // https://kubernetes.io/docs/concepts/containers/images.
7231 "images"?: [...string]
7232
7233 // RestrictedField selects the field for the given Pod Security
7234 // Standard control.
7235 // When not set, all restricted fields for the control are
7236 // selected.
7237 "restrictedField"?: string
7238
7239 // Values defines the allowed values that can be excluded.
7240 "values"?: [...string]
7241 }]
7242
7243 // Level defines the Pod Security Standard level to be applied to
7244 // workloads.
7245 // Allowed values are privileged, baseline, and restricted.
7246 "level"?: "privileged" | "baseline" | "restricted"
7247
7248 // Version defines the Pod Security Standard versions that
7249 // Kubernetes supports.
7250 // Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
7251 // v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
7252 "version"?: "v1.19" | "v1.20" | "v1.21" | "v1.22" | "v1.23" | "v1.24" | "v1.25" | "v1.26" | "v1.27" | "v1.28" | "v1.29" | "latest"
7253 }
7254 }
7255
7256 // VerifyImages is used to verify image signatures and mutate them
7257 // to add a digest
7258 "verifyImages"?: [...{
7259 // Deprecated.
7260 "additionalExtensions"?: [string]: string
7261
7262 // Deprecated. Use annotations per Attestor instead.
7263 "annotations"?: {
7264 [string]: string
7265 }
7266
7267 // Attestations are optional checks for signed in-toto Statements
7268 // used to verify the image.
7269 // See https://github.com/in-toto/attestation. Kyverno fetches
7270 // signed attestations from the
7271 // OCI registry and decodes them into a list of Statement
7272 // declarations.
7273 "attestations"?: [...{
7274 // Attestors specify the required attestors (i.e. authorities).
7275 "attestors"?: [...{
7276 // Count specifies the required number of entries that must match.
7277 // If the count is null, all entries must match
7278 // (a logical AND). If the count is 1, at least one entry must
7279 // match (a logical OR). If the count contains a
7280 // value N, then N must be less than or equal to the size of
7281 // entries, and at least N entries must match.
7282 "count"?: int & >=1
7283
7284 // Entries contains the available attestors. An attestor can be a
7285 // static key,
7286 // attributes for keyless verification, or a nested attestor
7287 // declaration.
7288 "entries"?: [...{
7289 // Annotations are used for image verification.
7290 // Every specified key-value pair must exist and match in the
7291 // verified payload.
7292 // The payload may contain other key-value pairs.
7293 "annotations"?: [string]: string
7294
7295 // Attestor is a nested set of Attestor used to specify a more
7296 // complex set of match authorities.
7297 "attestor"?: null | bool | number | string | [...] | {
7298 ...
7299 }
7300
7301 // Certificates specifies one or more certificates.
7302 "certificates"?: {
7303 // Cert is an optional PEM-encoded public certificate.
7304 "cert"?: string
7305
7306 // CertChain is an optional PEM encoded set of certificates used
7307 // to verify.
7308 "certChain"?: string
7309
7310 // CTLog (certificate timestamp log) provides a configuration for
7311 // validation of Signed Certificate
7312 // Timestamps (SCTs). If the value is unset, the default behavior
7313 // by Cosign is used.
7314 "ctlog"?: {
7315 // IgnoreSCT defines whether to use the Signed Certificate
7316 // Timestamp (SCT) log to check for a certificate
7317 // timestamp. Default is false. Set to true if this was opted out
7318 // during signing.
7319 "ignoreSCT"?: bool
7320
7321 // PubKey, if set, is used to validate SCTs against a custom
7322 // source.
7323 "pubkey"?: string
7324
7325 // TSACertChain, if set, is the PEM-encoded certificate chain file
7326 // for the RFC3161 timestamp authority. Must
7327 // contain the root CA certificate. Optionally may contain
7328 // intermediate CA certificates, and
7329 // may contain the leaf TSA certificate if not present in the
7330 // timestamurce.
7331 "tsaCertChain"?: string
7332 }
7333
7334 // Rekor provides configuration for the Rekor transparency log
7335 // service. If an empty object
7336 // is provided the public instance of Rekor
7337 // (https://rekor.sigstore.dev) is used.
7338 "rekor"?: {
7339 // IgnoreTlog skips transparency log verification.
7340 "ignoreTlog"?: bool
7341
7342 // RekorPubKey is an optional PEM-encoded public key to use for a
7343 // custom Rekor.
7344 // If set, this will be used to validate transparency log
7345 // signatures from a custom Rekor.
7346 "pubkey"?: string
7347
7348 // URL is the address of the transparency log. Defaults to the
7349 // public Rekor log instance https://rekor.sigstore.dev.
7350 "url"?: string
7351 }
7352 }
7353
7354 // Keyless is a set of attribute used to verify a Sigstore keyless
7355 // attestor.
7356 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7357 "keyless"?: {
7358 // AdditionalExtensions are certificate-extensions used for
7359 // keyless signing.
7360 "additionalExtensions"?: [string]: string
7361
7362 // CTLog (certificate timestamp log) provides a configuration for
7363 // validation of Signed Certificate
7364 // Timestamps (SCTs). If the value is unset, the default behavior
7365 // by Cosign is used.
7366 "ctlog"?: {
7367 // IgnoreSCT defines whether to use the Signed Certificate
7368 // Timestamp (SCT) log to check for a certificate
7369 // timestamp. Default is false. Set to true if this was opted out
7370 // during signing.
7371 "ignoreSCT"?: bool
7372
7373 // PubKey, if set, is used to validate SCTs against a custom
7374 // source.
7375 "pubkey"?: string
7376
7377 // TSACertChain, if set, is the PEM-encoded certificate chain file
7378 // for the RFC3161 timestamp authority. Must
7379 // contain the root CA certificate. Optionally may contain
7380 // intermediate CA certificates, and
7381 // may contain the leaf TSA certificate if not present in the
7382 // timestamurce.
7383 "tsaCertChain"?: string
7384 }
7385
7386 // Issuer is the certificate issuer used for keyless signing.
7387 "issuer"?: string
7388
7389 // IssuerRegExp is the regular expression to match certificate
7390 // issuer used for keyless signing.
7391 "issuerRegExp"?: string
7392
7393 // Rekor provides configuration for the Rekor transparency log
7394 // service. If an empty object
7395 // is provided the public instance of Rekor
7396 // (https://rekor.sigstore.dev) is used.
7397 "rekor"?: {
7398 // IgnoreTlog skips transparency log verification.
7399 "ignoreTlog"?: bool
7400
7401 // RekorPubKey is an optional PEM-encoded public key to use for a
7402 // custom Rekor.
7403 // If set, this will be used to validate transparency log
7404 // signatures from a custom Rekor.
7405 "pubkey"?: string
7406
7407 // URL is the address of the transparency log. Defaults to the
7408 // public Rekor log instance https://rekor.sigstore.dev.
7409 "url"?: string
7410 }
7411
7412 // Roots is an optional set of PEM encoded trusted root
7413 // certificates.
7414 // If not provided, the system roots are used.
7415 "roots"?: string
7416
7417 // Subject is the verified identity used for keyless signing, for
7418 // example the email address.
7419 "subject"?: string
7420
7421 // SubjectRegExp is the regular expression to match identity used
7422 // for keyless signing, for example the email address.
7423 "subjectRegExp"?: string
7424 }
7425
7426 // Keys specifies one or more public keys.
7427 "keys"?: {
7428 // CTLog (certificate timestamp log) provides a configuration for
7429 // validation of Signed Certificate
7430 // Timestamps (SCTs). If the value is unset, the default behavior
7431 // by Cosign is used.
7432 "ctlog"?: {
7433 // IgnoreSCT defines whether to use the Signed Certificate
7434 // Timestamp (SCT) log to check for a certificate
7435 // timestamp. Default is false. Set to true if this was opted out
7436 // during signing.
7437 "ignoreSCT"?: bool
7438
7439 // PubKey, if set, is used to validate SCTs against a custom
7440 // source.
7441 "pubkey"?: string
7442
7443 // TSACertChain, if set, is the PEM-encoded certificate chain file
7444 // for the RFC3161 timestamp authority. Must
7445 // contain the root CA certificate. Optionally may contain
7446 // intermediate CA certificates, and
7447 // may contain the leaf TSA certificate if not present in the
7448 // timestamurce.
7449 "tsaCertChain"?: string
7450 }
7451
7452 // KMS provides the URI to the public key stored in a Key
7453 // Management System. See:
7454 // https://github.com/sigstore/cosign/blob/main/KMS.md
7455 "kms"?: string
7456
7457 // Keys is a set of X.509 public keys used to verify image
7458 // signatures. The keys can be directly
7459 // specified or can be a variable reference to a key specified in
7460 // a ConfigMap (see
7461 // https://kyverno.io/docs/writing-policies/variables/), or
7462 // reference a standard Kubernetes Secret
7463 // elsewhere in the cluster by specifying it in the format
7464 // "k8s://<namespace>/<secret_name>".
7465 // The named Secret must specify a key `cosign.pub` containing the
7466 // public key used for
7467 // verification, (see
7468 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7469 // When multiple keys are specified each key is processed as a
7470 // separate staticKey entry
7471 // (.attestors[*].entries.keys) within the set of attestors and
7472 // the count is applied across the keys.
7473 "publicKeys"?: string
7474
7475 // Rekor provides configuration for the Rekor transparency log
7476 // service. If an empty object
7477 // is provided the public instance of Rekor
7478 // (https://rekor.sigstore.dev) is used.
7479 "rekor"?: {
7480 // IgnoreTlog skips transparency log verification.
7481 "ignoreTlog"?: bool
7482
7483 // RekorPubKey is an optional PEM-encoded public key to use for a
7484 // custom Rekor.
7485 // If set, this will be used to validate transparency log
7486 // signatures from a custom Rekor.
7487 "pubkey"?: string
7488
7489 // URL is the address of the transparency log. Defaults to the
7490 // public Rekor log instance https://rekor.sigstore.dev.
7491 "url"?: string
7492 }
7493
7494 // Reference to a Secret resource that contains a public key
7495 "secret"?: {
7496 // Name of the secret. The provided secret must contain a key
7497 // named cosign.pub.
7498 "name"!: string
7499
7500 // Namespace name where the Secret exists.
7501 "namespace"!: string
7502 }
7503
7504 // Deprecated. Use attestor.signatureAlgorithm instead.
7505 "signatureAlgorithm"?: string
7506 }
7507
7508 // Repository is an optional alternate OCI repository to use for
7509 // signatures and attestations that match this rule.
7510 // If specified Repository will override other OCI image
7511 // repository locations for this Attestor.
7512 "repository"?: string
7513
7514 // Specify signature algorithm for public keys. Supported values
7515 // are sha224, sha256, sha384 and sha512.
7516 "signatureAlgorithm"?: string
7517 }]
7518 }]
7519
7520 // Conditions are used to verify attributes within a Predicate. If
7521 // no Conditions are specified
7522 // the attestation check is satisfied as long there are predicates
7523 // that match the predicate type.
7524 "conditions"?: [...{
7525 // AllConditions enable variable-based conditional rule execution.
7526 // This is useful for
7527 // finer control of when an rule is applied. A condition can
7528 // reference object data
7529 // using JMESPath notation.
7530 // Here, all of the conditions need to pass
7531 "all"?: [...{
7532 // Key is the context entry (using JMESPath) for conditional rule
7533 // evaluation.
7534 "key"?: null | bool | number | string | [...] | {
7535 ...
7536 }
7537
7538 // Message is an optional display message
7539 "message"?: string
7540
7541 // Operator is the conditional operation to perform. Valid
7542 // operators are:
7543 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7544 // GreaterThanOrEquals,
7545 // GreaterThan, LessThanOrEquals, LessThan,
7546 // DurationGreaterThanOrEquals, DurationGreaterThan,
7547 // DurationLessThanOrEquals, DurationLessThan
7548 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7549
7550 // Value is the conditional value, or set of values. The values
7551 // can be fixed set
7552 // or can be variables declared using JMESPath.
7553 "value"?: null | bool | number | string | [...] | {
7554 ...
7555 }
7556 }]
7557
7558 // AnyConditions enable variable-based conditional rule execution.
7559 // This is useful for
7560 // finer control of when an rule is applied. A condition can
7561 // reference object data
7562 // using JMESPath notation.
7563 // Here, at least one of the conditions need to pass
7564 "any"?: [...{
7565 // Key is the context entry (using JMESPath) for conditional rule
7566 // evaluation.
7567 "key"?: null | bool | number | string | [...] | {
7568 ...
7569 }
7570
7571 // Message is an optional display message
7572 "message"?: string
7573
7574 // Operator is the conditional operation to perform. Valid
7575 // operators are:
7576 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
7577 // GreaterThanOrEquals,
7578 // GreaterThan, LessThanOrEquals, LessThan,
7579 // DurationGreaterThanOrEquals, DurationGreaterThan,
7580 // DurationLessThanOrEquals, DurationLessThan
7581 "operator"?: "Equals" | "NotEquals" | "In" | "AnyIn" | "AllIn" | "NotIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
7582
7583 // Value is the conditional value, or set of values. The values
7584 // can be fixed set
7585 // or can be variables declared using JMESPath.
7586 "value"?: null | bool | number | string | [...] | {
7587 ...
7588 }
7589 }]
7590 }]
7591
7592 // Name is the variable name.
7593 "name"?: string
7594
7595 // Deprecated in favour of 'Type', to be removed soon
7596 "predicateType"?: string
7597
7598 // Type defines the type of attestation contained within the
7599 // Statement.
7600 "type"?: string
7601 }]
7602
7603 // Attestors specified the required attestors (i.e. authorities)
7604 "attestors"?: [...{
7605 // Count specifies the required number of entries that must match.
7606 // If the count is null, all entries must match
7607 // (a logical AND). If the count is 1, at least one entry must
7608 // match (a logical OR). If the count contains a
7609 // value N, then N must be less than or equal to the size of
7610 // entries, and at least N entries must match.
7611 "count"?: int & >=1
7612
7613 // Entries contains the available attestors. An attestor can be a
7614 // static key,
7615 // attributes for keyless verification, or a nested attestor
7616 // declaration.
7617 "entries"?: [...{
7618 // Annotations are used for image verification.
7619 // Every specified key-value pair must exist and match in the
7620 // verified payload.
7621 // The payload may contain other key-value pairs.
7622 "annotations"?: [string]: string
7623
7624 // Attestor is a nested set of Attestor used to specify a more
7625 // complex set of match authorities.
7626 "attestor"?: null | bool | number | string | [...] | {
7627 ...
7628 }
7629
7630 // Certificates specifies one or more certificates.
7631 "certificates"?: {
7632 // Cert is an optional PEM-encoded public certificate.
7633 "cert"?: string
7634
7635 // CertChain is an optional PEM encoded set of certificates used
7636 // to verify.
7637 "certChain"?: string
7638
7639 // CTLog (certificate timestamp log) provides a configuration for
7640 // validation of Signed Certificate
7641 // Timestamps (SCTs). If the value is unset, the default behavior
7642 // by Cosign is used.
7643 "ctlog"?: {
7644 // IgnoreSCT defines whether to use the Signed Certificate
7645 // Timestamp (SCT) log to check for a certificate
7646 // timestamp. Default is false. Set to true if this was opted out
7647 // during signing.
7648 "ignoreSCT"?: bool
7649
7650 // PubKey, if set, is used to validate SCTs against a custom
7651 // source.
7652 "pubkey"?: string
7653
7654 // TSACertChain, if set, is the PEM-encoded certificate chain file
7655 // for the RFC3161 timestamp authority. Must
7656 // contain the root CA certificate. Optionally may contain
7657 // intermediate CA certificates, and
7658 // may contain the leaf TSA certificate if not present in the
7659 // timestamurce.
7660 "tsaCertChain"?: string
7661 }
7662
7663 // Rekor provides configuration for the Rekor transparency log
7664 // service. If an empty object
7665 // is provided the public instance of Rekor
7666 // (https://rekor.sigstore.dev) is used.
7667 "rekor"?: {
7668 // IgnoreTlog skips transparency log verification.
7669 "ignoreTlog"?: bool
7670
7671 // RekorPubKey is an optional PEM-encoded public key to use for a
7672 // custom Rekor.
7673 // If set, this will be used to validate transparency log
7674 // signatures from a custom Rekor.
7675 "pubkey"?: string
7676
7677 // URL is the address of the transparency log. Defaults to the
7678 // public Rekor log instance https://rekor.sigstore.dev.
7679 "url"?: string
7680 }
7681 }
7682
7683 // Keyless is a set of attribute used to verify a Sigstore keyless
7684 // attestor.
7685 // See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
7686 "keyless"?: {
7687 // AdditionalExtensions are certificate-extensions used for
7688 // keyless signing.
7689 "additionalExtensions"?: [string]: string
7690
7691 // CTLog (certificate timestamp log) provides a configuration for
7692 // validation of Signed Certificate
7693 // Timestamps (SCTs). If the value is unset, the default behavior
7694 // by Cosign is used.
7695 "ctlog"?: {
7696 // IgnoreSCT defines whether to use the Signed Certificate
7697 // Timestamp (SCT) log to check for a certificate
7698 // timestamp. Default is false. Set to true if this was opted out
7699 // during signing.
7700 "ignoreSCT"?: bool
7701
7702 // PubKey, if set, is used to validate SCTs against a custom
7703 // source.
7704 "pubkey"?: string
7705
7706 // TSACertChain, if set, is the PEM-encoded certificate chain file
7707 // for the RFC3161 timestamp authority. Must
7708 // contain the root CA certificate. Optionally may contain
7709 // intermediate CA certificates, and
7710 // may contain the leaf TSA certificate if not present in the
7711 // timestamurce.
7712 "tsaCertChain"?: string
7713 }
7714
7715 // Issuer is the certificate issuer used for keyless signing.
7716 "issuer"?: string
7717
7718 // IssuerRegExp is the regular expression to match certificate
7719 // issuer used for keyless signing.
7720 "issuerRegExp"?: string
7721
7722 // Rekor provides configuration for the Rekor transparency log
7723 // service. If an empty object
7724 // is provided the public instance of Rekor
7725 // (https://rekor.sigstore.dev) is used.
7726 "rekor"?: {
7727 // IgnoreTlog skips transparency log verification.
7728 "ignoreTlog"?: bool
7729
7730 // RekorPubKey is an optional PEM-encoded public key to use for a
7731 // custom Rekor.
7732 // If set, this will be used to validate transparency log
7733 // signatures from a custom Rekor.
7734 "pubkey"?: string
7735
7736 // URL is the address of the transparency log. Defaults to the
7737 // public Rekor log instance https://rekor.sigstore.dev.
7738 "url"?: string
7739 }
7740
7741 // Roots is an optional set of PEM encoded trusted root
7742 // certificates.
7743 // If not provided, the system roots are used.
7744 "roots"?: string
7745
7746 // Subject is the verified identity used for keyless signing, for
7747 // example the email address.
7748 "subject"?: string
7749
7750 // SubjectRegExp is the regular expression to match identity used
7751 // for keyless signing, for example the email address.
7752 "subjectRegExp"?: string
7753 }
7754
7755 // Keys specifies one or more public keys.
7756 "keys"?: {
7757 // CTLog (certificate timestamp log) provides a configuration for
7758 // validation of Signed Certificate
7759 // Timestamps (SCTs). If the value is unset, the default behavior
7760 // by Cosign is used.
7761 "ctlog"?: {
7762 // IgnoreSCT defines whether to use the Signed Certificate
7763 // Timestamp (SCT) log to check for a certificate
7764 // timestamp. Default is false. Set to true if this was opted out
7765 // during signing.
7766 "ignoreSCT"?: bool
7767
7768 // PubKey, if set, is used to validate SCTs against a custom
7769 // source.
7770 "pubkey"?: string
7771
7772 // TSACertChain, if set, is the PEM-encoded certificate chain file
7773 // for the RFC3161 timestamp authority. Must
7774 // contain the root CA certificate. Optionally may contain
7775 // intermediate CA certificates, and
7776 // may contain the leaf TSA certificate if not present in the
7777 // timestamurce.
7778 "tsaCertChain"?: string
7779 }
7780
7781 // KMS provides the URI to the public key stored in a Key
7782 // Management System. See:
7783 // https://github.com/sigstore/cosign/blob/main/KMS.md
7784 "kms"?: string
7785
7786 // Keys is a set of X.509 public keys used to verify image
7787 // signatures. The keys can be directly
7788 // specified or can be a variable reference to a key specified in
7789 // a ConfigMap (see
7790 // https://kyverno.io/docs/writing-policies/variables/), or
7791 // reference a standard Kubernetes Secret
7792 // elsewhere in the cluster by specifying it in the format
7793 // "k8s://<namespace>/<secret_name>".
7794 // The named Secret must specify a key `cosign.pub` containing the
7795 // public key used for
7796 // verification, (see
7797 // https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
7798 // When multiple keys are specified each key is processed as a
7799 // separate staticKey entry
7800 // (.attestors[*].entries.keys) within the set of attestors and
7801 // the count is applied across the keys.
7802 "publicKeys"?: string
7803
7804 // Rekor provides configuration for the Rekor transparency log
7805 // service. If an empty object
7806 // is provided the public instance of Rekor
7807 // (https://rekor.sigstore.dev) is used.
7808 "rekor"?: {
7809 // IgnoreTlog skips transparency log verification.
7810 "ignoreTlog"?: bool
7811
7812 // RekorPubKey is an optional PEM-encoded public key to use for a
7813 // custom Rekor.
7814 // If set, this will be used to validate transparency log
7815 // signatures from a custom Rekor.
7816 "pubkey"?: string
7817
7818 // URL is the address of the transparency log. Defaults to the
7819 // public Rekor log instance https://rekor.sigstore.dev.
7820 "url"?: string
7821 }
7822
7823 // Reference to a Secret resource that contains a public key
7824 "secret"?: {
7825 // Name of the secret. The provided secret must contain a key
7826 // named cosign.pub.
7827 "name"!: string
7828
7829 // Namespace name where the Secret exists.
7830 "namespace"!: string
7831 }
7832
7833 // Deprecated. Use attestor.signatureAlgorithm instead.
7834 "signatureAlgorithm"?: string
7835 }
7836
7837 // Repository is an optional alternate OCI repository to use for
7838 // signatures and attestations that match this rule.
7839 // If specified Repository will override other OCI image
7840 // repository locations for this Attestor.
7841 "repository"?: string
7842
7843 // Specify signature algorithm for public keys. Supported values
7844 // are sha224, sha256, sha384 and sha512.
7845 "signatureAlgorithm"?: string
7846 }]
7847 }]
7848
7849 // CosignOCI11 enables the experimental OCI 1.1 behaviour in
7850 // cosign image verification.
7851 // Defaults to false.
7852 "cosignOCI11"?: bool
7853
7854 // Allowed values are Audit or Enforce.
7855 "failureAction"?: "Audit" | "Enforce"
7856
7857 // Deprecated. Use ImageReferences instead.
7858 "image"?: string
7859
7860 // ImageReferences is a list of matching image reference patterns.
7861 // At least one pattern in the
7862 // list must match the image for the rule to apply. Each image
7863 // reference consists of a registry
7864 // address (defaults to docker.io), repository, image, and tag
7865 // (defaults to latest).
7866 // Wildcards ('*' and '?') are allowed. See:
7867 // https://kubernetes.io/docs/concepts/containers/images.
7868 "imageReferences"?: [...string]
7869
7870 // ImageRegistryCredentials provides credentials that will be used
7871 // for authentication with registry.
7872 "imageRegistryCredentials"?: {
7873 // AllowInsecureRegistry allows insecure access to a registry.
7874 "allowInsecureRegistry"?: bool
7875
7876 // Providers specifies a list of OCI Registry names, whose
7877 // authentication providers are provided.
7878 // It can be of one of these values:
7879 // default,google,azure,amazon,github.
7880 "providers"?: [..."default" | "amazon" | "azure" | "google" | "github"]
7881
7882 // Secrets specifies a list of secrets that are provided for
7883 // credentials.
7884 // Secrets must live in the Kyverno namespace.
7885 "secrets"?: [...string]
7886 }
7887
7888 // Deprecated. Use KeylessAttestor instead.
7889 "issuer"?: string
7890
7891 // Deprecated. Use StaticKeyAttestor instead.
7892 "key"?: string
7893
7894 // MutateDigest enables replacement of image tags with digests.
7895 // Defaults to true.
7896 "mutateDigest"?: bool
7897
7898 // Repository is an optional alternate OCI repository to use for
7899 // image signatures and attestations that match this rule.
7900 // If specified Repository will override the default OCI image
7901 // repository configured for the installation.
7902 // The repository can also be overridden per Attestor or
7903 // Attestation.
7904 "repository"?: string
7905
7906 // Required validates that images are verified i.e. have matched
7907 // passed a signature or attestation check.
7908 "required"?: bool
7909
7910 // Deprecated. Use KeylessAttestor instead.
7911 "roots"?: string
7912
7913 // SkipImageReferences is a list of matching image reference
7914 // patterns that should be skipped.
7915 // At least one pattern in the list must match the image for the
7916 // rule to be skipped. Each image reference
7917 // consists of a registry address (defaults to docker.io),
7918 // repository, image, and tag (defaults to latest).
7919 // Wildcards ('*' and '?') are allowed. See:
7920 // https://kubernetes.io/docs/concepts/containers/images.
7921 "skipImageReferences"?: [...string]
7922
7923 // Deprecated. Use KeylessAttestor instead.
7924 "subject"?: string
7925
7926 // Type specifies the method of signature validation. The allowed
7927 // options
7928 // are Cosign, Sigstore Bundle and Notary. By default Cosign is
7929 // used if a type is not specified.
7930 "type"?: "Cosign" | "SigstoreBundle" | "Notary"
7931
7932 // UseCache enables caching of image verify responses for this
7933 // rule.
7934 "useCache"?: bool
7935
7936 // Validation checks conditions across multiple image
7937 // verification attestations or context entries
7938 "validate"?: {
7939 // Deny defines conditions used to pass or fail a validation rule.
7940 "deny"?: {
7941 // Multiple conditions can be declared under an `any` or `all`
7942 // statement. A direct list
7943 // of conditions (without `any` or `all` statements) is also
7944 // supported for backwards compatibility
7945 // but will be deprecated in the next major release.
7946 // See:
7947 // https://kyverno.io/docs/writing-policies/validate/#deny-rules
7948 "conditions"?: null | bool | number | string | [...] | {
7949 ...
7950 }
7951 }
7952
7953 // Message specifies a custom message to be displayed on failure.
7954 "message"?: string
7955 }
7956
7957 // VerifyDigest validates that images have a digest.
7958 "verifyDigest"?: bool
7959 }]
7960 }]
7961 }
7962 "conditions"?: [...{
7963 // lastTransitionTime is the last time the condition transitioned
7964 // from one status to another.
7965 // This should be when the underlying condition changed. If that
7966 // is not known, then using the time when the API field changed
7967 // is acceptable.
7968 "lastTransitionTime"!: time.Time
7969
7970 // message is a human readable message indicating details about
7971 // the transition.
7972 // This may be an empty string.
7973 "message"!: strings.MaxRunes(
7974 32768)
7975
7976 // observedGeneration represents the .metadata.generation that the
7977 // condition was set based upon.
7978 // For instance, if .metadata.generation is currently 12, but the
7979 // .status.conditions[x].observedGeneration is 9, the condition
7980 // is out of date
7981 // with respect to the current state of the instance.
7982 "observedGeneration"?: int64 & int & >=0
7983
7984 // reason contains a programmatic identifier indicating the reason
7985 // for the condition's last transition.
7986 // Producers of specific condition types may define expected
7987 // values and meanings for this field,
7988 // and whether the values are considered a guaranteed API.
7989 // The value should be a CamelCase string.
7990 // This field may not be empty.
7991 "reason"!: strings.MaxRunes(
7992 1024) & strings.MinRunes(
7993 1) & =~"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$"
7994
7995 // status of the condition, one of True, False, Unknown.
7996 "status"!: "True" | "False" | "Unknown"
7997
7998 // type of condition in CamelCase or in foo.example.com/CamelCase.
7999 "type"!: strings.MaxRunes(
8000 316) & =~"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$"
8001 }]
8002
8003 // Deprecated in favor of Conditions
8004 "ready"?: bool
8005
8006 // RuleCountStatus contains four variables which describes counts
8007 // for
8008 // validate, generate, mutate and verify images rules
8009 "rulecount"?: {
8010 // Count for generate rules in policy
8011 "generate"!: int
8012
8013 // Count for mutate rules in policy
8014 "mutate"!: int
8015
8016 // Count for validate rules in policy
8017 "validate"!: int
8018
8019 // Count for verify image rules in policy
8020 "verifyimages"!: int
8021 }
8022
8023 // ValidatingAdmissionPolicy contains status information
8024 "validatingadmissionpolicy"?: {
8025 // Generated indicates whether a validating admission policy is
8026 // generated from the policy or not
8027 "generated"!: bool
8028
8029 // Message is a human readable message indicating details about
8030 // the generation of validating admission policy
8031 // It is an empty string when validating admission policy is
8032 // successfully generated.
8033 "message"!: string
8034 }
8035 }
8036
8037 _embeddedResource: {
8038 "apiVersion"!: string
8039 "kind"!: string
8040 "metadata"?: {
8041 ...
8042 }
8043 }
8044 apiVersion: "kyverno.io/v2beta1"
8045 kind: "Policy"
8046 metadata!: {
8047 "name"!: string
8048 "namespace"!: string
8049 "labels"?: {
8050 [string]: string
8051 }
8052 "annotations"?: {
8053 [string]: string
8054 }
8055 ...
8056 }
8057}