1package v2
2
3// PolicyException declares resources to be excluded from
4// specified policies.
5#PolicyException: {
6 _embeddedResource
7
8 // APIVersion defines the versioned schema of this representation
9 // of an object.
10 // Servers should convert recognized schemas to the latest
11 // internal value, and
12 // may reject unrecognized values.
13 // More info:
14 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
15 "apiVersion"?: string
16
17 // Kind is a string value representing the REST resource this
18 // object represents.
19 // Servers may infer this from the endpoint the client submits
20 // requests to.
21 // Cannot be updated.
22 // In CamelCase.
23 // More info:
24 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
25 "kind"?: string
26 "metadata"?: {}
27
28 // Spec declares policy exception behaviors.
29 "spec"!: {
30 // Background controls if exceptions are applied to existing
31 // policies during a background scan.
32 // Optional. Default value is "true". The value must be set to
33 // "false" if the policy rule
34 // uses variables that are only available in the admission review
35 // request (e.g. user name).
36 "background"?: bool
37
38 // Conditions are used to determine if a resource applies to the
39 // exception by evaluating a
40 // set of conditions. The declaration can contain nested `any` or
41 // `all` statements.
42 "conditions"?: {
43 // AllConditions enable variable-based conditional rule execution.
44 // This is useful for
45 // finer control of when an rule is applied. A condition can
46 // reference object data
47 // using JMESPath notation.
48 // Here, all of the conditions need to pass.
49 "all"?: [...{
50 // Key is the context entry (using JMESPath) for conditional rule
51 // evaluation.
52 "key"?: null | bool | number | string | [...] | {
53 ...
54 }
55
56 // Message is an optional display message
57 "message"?: string
58
59 // Operator is the conditional operation to perform. Valid
60 // operators are:
61 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
62 // GreaterThanOrEquals,
63 // GreaterThan, LessThanOrEquals, LessThan,
64 // DurationGreaterThanOrEquals, DurationGreaterThan,
65 // DurationLessThanOrEquals, DurationLessThan
66 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
67
68 // Value is the conditional value, or set of values. The values
69 // can be fixed set
70 // or can be variables declared using JMESPath.
71 "value"?: null | bool | number | string | [...] | {
72 ...
73 }
74 }]
75
76 // AnyConditions enable variable-based conditional rule execution.
77 // This is useful for
78 // finer control of when an rule is applied. A condition can
79 // reference object data
80 // using JMESPath notation.
81 // Here, at least one of the conditions need to pass.
82 "any"?: [...{
83 // Key is the context entry (using JMESPath) for conditional rule
84 // evaluation.
85 "key"?: null | bool | number | string | [...] | {
86 ...
87 }
88
89 // Message is an optional display message
90 "message"?: string
91
92 // Operator is the conditional operation to perform. Valid
93 // operators are:
94 // Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
95 // GreaterThanOrEquals,
96 // GreaterThan, LessThanOrEquals, LessThan,
97 // DurationGreaterThanOrEquals, DurationGreaterThan,
98 // DurationLessThanOrEquals, DurationLessThan
99 "operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
100
101 // Value is the conditional value, or set of values. The values
102 // can be fixed set
103 // or can be variables declared using JMESPath.
104 "value"?: null | bool | number | string | [...] | {
105 ...
106 }
107 }]
108 }
109
110 // Exceptions is a list policy/rules to be excluded
111 "exceptions"!: [...{
112 // PolicyName identifies the policy to which the exception is
113 // applied.
114 // The policy name uses the format <namespace>/<name> unless it
115 // references a ClusterPolicy.
116 "policyName"!: string
117
118 // RuleNames identifies the rules to which the exception is
119 // applied.
120 "ruleNames"!: [...string]
121 }]
122
123 // Match defines match clause used to check if a resource applies
124 // to the exception
125 "match"!: matchN(0, [null | bool | number | string | [...] | {
126 "any"!: _
127 "all"!: _
128 }]) & {
129 // All allows specifying resources which will be ANDed
130 "all"?: [...{
131 // ClusterRoles is the list of cluster-wide role names for the
132 // user.
133 "clusterRoles"?: [...string]
134
135 // ResourceDescription contains information about the resource
136 // being created or modified.
137 "resources"?: matchN(0, [null | bool | number | string | [...] | {
138 "name"!: _
139 "names"!: _
140 }]) & {
141 // Annotations is a map of annotations (key-value pairs of type
142 // string). Annotation keys
143 // and values support the wildcard characters "*" (matches zero or
144 // many characters) and
145 // "?" (matches at least one character).
146 "annotations"?: [string]: string
147
148 // Kinds is a list of resource kinds.
149 "kinds"?: [...string]
150
151 // Name is the name of the resource. The name supports wildcard
152 // characters
153 // "*" (matches zero or many characters) and "?" (at least one
154 // character).
155 // NOTE: "Name" is being deprecated in favor of "Names".
156 "name"?: string
157
158 // Names are the names of the resources. Each name supports
159 // wildcard characters
160 // "*" (matches zero or many characters) and "?" (at least one
161 // character).
162 "names"?: [...string]
163
164 // NamespaceSelector is a label selector for the resource
165 // namespace. Label keys and values
166 // in `matchLabels` support the wildcard characters `*` (matches
167 // zero or many characters)
168 // and `?` (matches one character).Wildcards allows writing label
169 // selectors like
170 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
171 // any key and value but
172 // does not match an empty label set.
173 "namespaceSelector"?: {
174 // matchExpressions is a list of label selector requirements. The
175 // requirements are ANDed.
176 "matchExpressions"?: [...{
177 // key is the label key that the selector applies to.
178 "key"!: string
179
180 // operator represents a key's relationship to a set of values.
181 // Valid operators are In, NotIn, Exists and DoesNotExist.
182 "operator"!: string
183
184 // values is an array of string values. If the operator is In or
185 // NotIn,
186 // the values array must be non-empty. If the operator is Exists
187 // or DoesNotExist,
188 // the values array must be empty. This array is replaced during a
189 // strategic
190 // merge patch.
191 "values"?: [...string]
192 }]
193
194 // matchLabels is a map of {key,value} pairs. A single {key,value}
195 // in the matchLabels
196 // map is equivalent to an element of matchExpressions, whose key
197 // field is "key", the
198 // operator is "In", and the values array contains only "value".
199 // The requirements are ANDed.
200 "matchLabels"?: {
201 [string]: string
202 }
203 }
204
205 // Namespaces is a list of namespaces names. Each name supports
206 // wildcard characters
207 // "*" (matches zero or many characters) and "?" (at least one
208 // character).
209 "namespaces"?: [...string]
210
211 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
212 // "DELETE"], which are used to match a specific action.
213 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
214
215 // Selector is a label selector. Label keys and values in
216 // `matchLabels` support the wildcard
217 // characters `*` (matches zero or many characters) and `?`
218 // (matches one character).
219 // Wildcards allows writing label selectors like
220 // ["storage.k8s.io/*": "*"]. Note that
221 // using ["*" : "*"] matches any key and value but does not match
222 // an empty label set.
223 "selector"?: {
224 // matchExpressions is a list of label selector requirements. The
225 // requirements are ANDed.
226 "matchExpressions"?: [...{
227 // key is the label key that the selector applies to.
228 "key"!: string
229
230 // operator represents a key's relationship to a set of values.
231 // Valid operators are In, NotIn, Exists and DoesNotExist.
232 "operator"!: string
233
234 // values is an array of string values. If the operator is In or
235 // NotIn,
236 // the values array must be non-empty. If the operator is Exists
237 // or DoesNotExist,
238 // the values array must be empty. This array is replaced during a
239 // strategic
240 // merge patch.
241 "values"?: [...string]
242 }]
243
244 // matchLabels is a map of {key,value} pairs. A single {key,value}
245 // in the matchLabels
246 // map is equivalent to an element of matchExpressions, whose key
247 // field is "key", the
248 // operator is "In", and the values array contains only "value".
249 // The requirements are ANDed.
250 "matchLabels"?: {
251 [string]: string
252 }
253 }
254 }
255
256 // Roles is the list of namespaced role names for the user.
257 "roles"?: [...string]
258
259 // Subjects is the list of subject names like users, user groups,
260 // and service accounts.
261 "subjects"?: [...{
262 // APIGroup holds the API group of the referenced subject.
263 // Defaults to "" for ServiceAccount subjects.
264 // Defaults to "rbac.authorization.k8s.io" for User and Group
265 // subjects.
266 "apiGroup"?: string
267
268 // Kind of object being referenced. Values defined by this API
269 // group are "User", "Group", and "ServiceAccount".
270 // If the Authorizer does not recognized the kind value, the
271 // Authorizer should report an error.
272 "kind"!: string
273
274 // Name of the object being referenced.
275 "name"!: string
276
277 // Namespace of the referenced object. If the object kind is
278 // non-namespace, such as "User" or "Group", and this value is
279 // not empty
280 // the Authorizer should report an error.
281 "namespace"?: string
282 }]
283 }]
284
285 // Any allows specifying resources which will be ORed
286 "any"?: [...{
287 // ClusterRoles is the list of cluster-wide role names for the
288 // user.
289 "clusterRoles"?: [...string]
290
291 // ResourceDescription contains information about the resource
292 // being created or modified.
293 "resources"?: matchN(0, [null | bool | number | string | [...] | {
294 "name"!: _
295 "names"!: _
296 }]) & {
297 // Annotations is a map of annotations (key-value pairs of type
298 // string). Annotation keys
299 // and values support the wildcard characters "*" (matches zero or
300 // many characters) and
301 // "?" (matches at least one character).
302 "annotations"?: [string]: string
303
304 // Kinds is a list of resource kinds.
305 "kinds"?: [...string]
306
307 // Name is the name of the resource. The name supports wildcard
308 // characters
309 // "*" (matches zero or many characters) and "?" (at least one
310 // character).
311 // NOTE: "Name" is being deprecated in favor of "Names".
312 "name"?: string
313
314 // Names are the names of the resources. Each name supports
315 // wildcard characters
316 // "*" (matches zero or many characters) and "?" (at least one
317 // character).
318 "names"?: [...string]
319
320 // NamespaceSelector is a label selector for the resource
321 // namespace. Label keys and values
322 // in `matchLabels` support the wildcard characters `*` (matches
323 // zero or many characters)
324 // and `?` (matches one character).Wildcards allows writing label
325 // selectors like
326 // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
327 // any key and value but
328 // does not match an empty label set.
329 "namespaceSelector"?: {
330 // matchExpressions is a list of label selector requirements. The
331 // requirements are ANDed.
332 "matchExpressions"?: [...{
333 // key is the label key that the selector applies to.
334 "key"!: string
335
336 // operator represents a key's relationship to a set of values.
337 // Valid operators are In, NotIn, Exists and DoesNotExist.
338 "operator"!: string
339
340 // values is an array of string values. If the operator is In or
341 // NotIn,
342 // the values array must be non-empty. If the operator is Exists
343 // or DoesNotExist,
344 // the values array must be empty. This array is replaced during a
345 // strategic
346 // merge patch.
347 "values"?: [...string]
348 }]
349
350 // matchLabels is a map of {key,value} pairs. A single {key,value}
351 // in the matchLabels
352 // map is equivalent to an element of matchExpressions, whose key
353 // field is "key", the
354 // operator is "In", and the values array contains only "value".
355 // The requirements are ANDed.
356 "matchLabels"?: {
357 [string]: string
358 }
359 }
360
361 // Namespaces is a list of namespaces names. Each name supports
362 // wildcard characters
363 // "*" (matches zero or many characters) and "?" (at least one
364 // character).
365 "namespaces"?: [...string]
366
367 // Operations can contain values ["CREATE, "UPDATE", "CONNECT",
368 // "DELETE"], which are used to match a specific action.
369 "operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
370
371 // Selector is a label selector. Label keys and values in
372 // `matchLabels` support the wildcard
373 // characters `*` (matches zero or many characters) and `?`
374 // (matches one character).
375 // Wildcards allows writing label selectors like
376 // ["storage.k8s.io/*": "*"]. Note that
377 // using ["*" : "*"] matches any key and value but does not match
378 // an empty label set.
379 "selector"?: {
380 // matchExpressions is a list of label selector requirements. The
381 // requirements are ANDed.
382 "matchExpressions"?: [...{
383 // key is the label key that the selector applies to.
384 "key"!: string
385
386 // operator represents a key's relationship to a set of values.
387 // Valid operators are In, NotIn, Exists and DoesNotExist.
388 "operator"!: string
389
390 // values is an array of string values. If the operator is In or
391 // NotIn,
392 // the values array must be non-empty. If the operator is Exists
393 // or DoesNotExist,
394 // the values array must be empty. This array is replaced during a
395 // strategic
396 // merge patch.
397 "values"?: [...string]
398 }]
399
400 // matchLabels is a map of {key,value} pairs. A single {key,value}
401 // in the matchLabels
402 // map is equivalent to an element of matchExpressions, whose key
403 // field is "key", the
404 // operator is "In", and the values array contains only "value".
405 // The requirements are ANDed.
406 "matchLabels"?: {
407 [string]: string
408 }
409 }
410 }
411
412 // Roles is the list of namespaced role names for the user.
413 "roles"?: [...string]
414
415 // Subjects is the list of subject names like users, user groups,
416 // and service accounts.
417 "subjects"?: [...{
418 // APIGroup holds the API group of the referenced subject.
419 // Defaults to "" for ServiceAccount subjects.
420 // Defaults to "rbac.authorization.k8s.io" for User and Group
421 // subjects.
422 "apiGroup"?: string
423
424 // Kind of object being referenced. Values defined by this API
425 // group are "User", "Group", and "ServiceAccount".
426 // If the Authorizer does not recognized the kind value, the
427 // Authorizer should report an error.
428 "kind"!: string
429
430 // Name of the object being referenced.
431 "name"!: string
432
433 // Namespace of the referenced object. If the object kind is
434 // non-namespace, such as "User" or "Group", and this value is
435 // not empty
436 // the Authorizer should report an error.
437 "namespace"?: string
438 }]
439 }]
440 }
441
442 // PodSecurity specifies the Pod Security Standard controls to be
443 // excluded.
444 // Applicable only to policies that have validate.podSecurity
445 // subrule.
446 "podSecurity"?: [...{
447 // ControlName specifies the name of the Pod Security Standard
448 // control.
449 // See:
450 // https://kubernetes.io/docs/concepts/security/pod-security-standards/
451 "controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
452
453 // Images selects matching containers and applies the container
454 // level PSS.
455 // Each image is the image name consisting of the registry
456 // address, repository, image, and tag.
457 // Empty list matches no containers, PSS checks are applied at the
458 // pod level only.
459 // Wildcards ('*' and '?') are allowed. See:
460 // https://kubernetes.io/docs/concepts/containers/images.
461 "images"?: [...string]
462
463 // RestrictedField selects the field for the given Pod Security
464 // Standard control.
465 // When not set, all restricted fields for the control are
466 // selected.
467 "restrictedField"?: string
468
469 // Values defines the allowed values that can be excluded.
470 "values"?: [...string]
471 }]
472 }
473
474 _embeddedResource: {
475 "apiVersion"!: string
476 "kind"!: string
477 "metadata"?: {
478 ...
479 }
480 }
481 apiVersion: "kyverno.io/v2"
482 kind: "PolicyException"
483 metadata!: {
484 "name"!: string
485 "namespace"!: string
486 "labels"?: {
487 [string]: string
488 }
489 "annotations"?: {
490 [string]: string
491 }
492 ...
493 }
494}