cue.dev/x/kyverno@v0.4.0

policyexception/v2/schema.cue raw

  1package v2
  2
  3// PolicyException declares resources to be excluded from
  4// specified policies.
  5#PolicyException: {
  6	_embeddedResource
  7
  8	// APIVersion defines the versioned schema of this representation
  9	// of an object.
 10	// Servers should convert recognized schemas to the latest
 11	// internal value, and
 12	// may reject unrecognized values.
 13	// More info:
 14	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 15	"apiVersion"?: string
 16
 17	// Kind is a string value representing the REST resource this
 18	// object represents.
 19	// Servers may infer this from the endpoint the client submits
 20	// requests to.
 21	// Cannot be updated.
 22	// In CamelCase.
 23	// More info:
 24	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 25	"kind"?: string
 26	"metadata"?: {}
 27
 28	// Spec declares policy exception behaviors.
 29	"spec"!: {
 30		// Background controls if exceptions are applied to existing
 31		// policies during a background scan.
 32		// Optional. Default value is "true". The value must be set to
 33		// "false" if the policy rule
 34		// uses variables that are only available in the admission review
 35		// request (e.g. user name).
 36		"background"?: bool
 37
 38		// Conditions are used to determine if a resource applies to the
 39		// exception by evaluating a
 40		// set of conditions. The declaration can contain nested `any` or
 41		// `all` statements.
 42		"conditions"?: {
 43			// AllConditions enable variable-based conditional rule execution.
 44			// This is useful for
 45			// finer control of when an rule is applied. A condition can
 46			// reference object data
 47			// using JMESPath notation.
 48			// Here, all of the conditions need to pass.
 49			"all"?: [...{
 50				// Key is the context entry (using JMESPath) for conditional rule
 51				// evaluation.
 52				"key"?: null | bool | number | string | [...] | {
 53					...
 54				}
 55
 56				// Message is an optional display message
 57				"message"?: string
 58
 59				// Operator is the conditional operation to perform. Valid
 60				// operators are:
 61				// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
 62				// GreaterThanOrEquals,
 63				// GreaterThan, LessThanOrEquals, LessThan,
 64				// DurationGreaterThanOrEquals, DurationGreaterThan,
 65				// DurationLessThanOrEquals, DurationLessThan
 66				"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
 67
 68				// Value is the conditional value, or set of values. The values
 69				// can be fixed set
 70				// or can be variables declared using JMESPath.
 71				"value"?: null | bool | number | string | [...] | {
 72					...
 73				}
 74			}]
 75
 76			// AnyConditions enable variable-based conditional rule execution.
 77			// This is useful for
 78			// finer control of when an rule is applied. A condition can
 79			// reference object data
 80			// using JMESPath notation.
 81			// Here, at least one of the conditions need to pass.
 82			"any"?: [...{
 83				// Key is the context entry (using JMESPath) for conditional rule
 84				// evaluation.
 85				"key"?: null | bool | number | string | [...] | {
 86					...
 87				}
 88
 89				// Message is an optional display message
 90				"message"?: string
 91
 92				// Operator is the conditional operation to perform. Valid
 93				// operators are:
 94				// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn,
 95				// GreaterThanOrEquals,
 96				// GreaterThan, LessThanOrEquals, LessThan,
 97				// DurationGreaterThanOrEquals, DurationGreaterThan,
 98				// DurationLessThanOrEquals, DurationLessThan
 99				"operator"?: "Equals" | "NotEquals" | "AnyIn" | "AllIn" | "AnyNotIn" | "AllNotIn" | "GreaterThanOrEquals" | "GreaterThan" | "LessThanOrEquals" | "LessThan" | "DurationGreaterThanOrEquals" | "DurationGreaterThan" | "DurationLessThanOrEquals" | "DurationLessThan"
100
101				// Value is the conditional value, or set of values. The values
102				// can be fixed set
103				// or can be variables declared using JMESPath.
104				"value"?: null | bool | number | string | [...] | {
105					...
106				}
107			}]
108		}
109
110		// Exceptions is a list policy/rules to be excluded
111		"exceptions"!: [...{
112			// PolicyName identifies the policy to which the exception is
113			// applied.
114			// The policy name uses the format <namespace>/<name> unless it
115			// references a ClusterPolicy.
116			"policyName"!: string
117
118			// RuleNames identifies the rules to which the exception is
119			// applied.
120			"ruleNames"!: [...string]
121		}]
122
123		// Match defines match clause used to check if a resource applies
124		// to the exception
125		"match"!: matchN(0, [null | bool | number | string | [...] | {
126			"any"!: _
127			"all"!: _
128		}]) & {
129			// All allows specifying resources which will be ANDed
130			"all"?: [...{
131				// ClusterRoles is the list of cluster-wide role names for the
132				// user.
133				"clusterRoles"?: [...string]
134
135				// ResourceDescription contains information about the resource
136				// being created or modified.
137				"resources"?: matchN(0, [null | bool | number | string | [...] | {
138					"name"!:  _
139					"names"!: _
140				}]) & {
141					// Annotations is a map of annotations (key-value pairs of type
142					// string). Annotation keys
143					// and values support the wildcard characters "*" (matches zero or
144					// many characters) and
145					// "?" (matches at least one character).
146					"annotations"?: [string]: string
147
148					// Kinds is a list of resource kinds.
149					"kinds"?: [...string]
150
151					// Name is the name of the resource. The name supports wildcard
152					// characters
153					// "*" (matches zero or many characters) and "?" (at least one
154					// character).
155					// NOTE: "Name" is being deprecated in favor of "Names".
156					"name"?: string
157
158					// Names are the names of the resources. Each name supports
159					// wildcard characters
160					// "*" (matches zero or many characters) and "?" (at least one
161					// character).
162					"names"?: [...string]
163
164					// NamespaceSelector is a label selector for the resource
165					// namespace. Label keys and values
166					// in `matchLabels` support the wildcard characters `*` (matches
167					// zero or many characters)
168					// and `?` (matches one character).Wildcards allows writing label
169					// selectors like
170					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
171					// any key and value but
172					// does not match an empty label set.
173					"namespaceSelector"?: {
174						// matchExpressions is a list of label selector requirements. The
175						// requirements are ANDed.
176						"matchExpressions"?: [...{
177							// key is the label key that the selector applies to.
178							"key"!: string
179
180							// operator represents a key's relationship to a set of values.
181							// Valid operators are In, NotIn, Exists and DoesNotExist.
182							"operator"!: string
183
184							// values is an array of string values. If the operator is In or
185							// NotIn,
186							// the values array must be non-empty. If the operator is Exists
187							// or DoesNotExist,
188							// the values array must be empty. This array is replaced during a
189							// strategic
190							// merge patch.
191							"values"?: [...string]
192						}]
193
194						// matchLabels is a map of {key,value} pairs. A single {key,value}
195						// in the matchLabels
196						// map is equivalent to an element of matchExpressions, whose key
197						// field is "key", the
198						// operator is "In", and the values array contains only "value".
199						// The requirements are ANDed.
200						"matchLabels"?: {
201							[string]: string
202						}
203					}
204
205					// Namespaces is a list of namespaces names. Each name supports
206					// wildcard characters
207					// "*" (matches zero or many characters) and "?" (at least one
208					// character).
209					"namespaces"?: [...string]
210
211					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
212					// "DELETE"], which are used to match a specific action.
213					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
214
215					// Selector is a label selector. Label keys and values in
216					// `matchLabels` support the wildcard
217					// characters `*` (matches zero or many characters) and `?`
218					// (matches one character).
219					// Wildcards allows writing label selectors like
220					// ["storage.k8s.io/*": "*"]. Note that
221					// using ["*" : "*"] matches any key and value but does not match
222					// an empty label set.
223					"selector"?: {
224						// matchExpressions is a list of label selector requirements. The
225						// requirements are ANDed.
226						"matchExpressions"?: [...{
227							// key is the label key that the selector applies to.
228							"key"!: string
229
230							// operator represents a key's relationship to a set of values.
231							// Valid operators are In, NotIn, Exists and DoesNotExist.
232							"operator"!: string
233
234							// values is an array of string values. If the operator is In or
235							// NotIn,
236							// the values array must be non-empty. If the operator is Exists
237							// or DoesNotExist,
238							// the values array must be empty. This array is replaced during a
239							// strategic
240							// merge patch.
241							"values"?: [...string]
242						}]
243
244						// matchLabels is a map of {key,value} pairs. A single {key,value}
245						// in the matchLabels
246						// map is equivalent to an element of matchExpressions, whose key
247						// field is "key", the
248						// operator is "In", and the values array contains only "value".
249						// The requirements are ANDed.
250						"matchLabels"?: {
251							[string]: string
252						}
253					}
254				}
255
256				// Roles is the list of namespaced role names for the user.
257				"roles"?: [...string]
258
259				// Subjects is the list of subject names like users, user groups,
260				// and service accounts.
261				"subjects"?: [...{
262					// APIGroup holds the API group of the referenced subject.
263					// Defaults to "" for ServiceAccount subjects.
264					// Defaults to "rbac.authorization.k8s.io" for User and Group
265					// subjects.
266					"apiGroup"?: string
267
268					// Kind of object being referenced. Values defined by this API
269					// group are "User", "Group", and "ServiceAccount".
270					// If the Authorizer does not recognized the kind value, the
271					// Authorizer should report an error.
272					"kind"!: string
273
274					// Name of the object being referenced.
275					"name"!: string
276
277					// Namespace of the referenced object. If the object kind is
278					// non-namespace, such as "User" or "Group", and this value is
279					// not empty
280					// the Authorizer should report an error.
281					"namespace"?: string
282				}]
283			}]
284
285			// Any allows specifying resources which will be ORed
286			"any"?: [...{
287				// ClusterRoles is the list of cluster-wide role names for the
288				// user.
289				"clusterRoles"?: [...string]
290
291				// ResourceDescription contains information about the resource
292				// being created or modified.
293				"resources"?: matchN(0, [null | bool | number | string | [...] | {
294					"name"!:  _
295					"names"!: _
296				}]) & {
297					// Annotations is a map of annotations (key-value pairs of type
298					// string). Annotation keys
299					// and values support the wildcard characters "*" (matches zero or
300					// many characters) and
301					// "?" (matches at least one character).
302					"annotations"?: [string]: string
303
304					// Kinds is a list of resource kinds.
305					"kinds"?: [...string]
306
307					// Name is the name of the resource. The name supports wildcard
308					// characters
309					// "*" (matches zero or many characters) and "?" (at least one
310					// character).
311					// NOTE: "Name" is being deprecated in favor of "Names".
312					"name"?: string
313
314					// Names are the names of the resources. Each name supports
315					// wildcard characters
316					// "*" (matches zero or many characters) and "?" (at least one
317					// character).
318					"names"?: [...string]
319
320					// NamespaceSelector is a label selector for the resource
321					// namespace. Label keys and values
322					// in `matchLabels` support the wildcard characters `*` (matches
323					// zero or many characters)
324					// and `?` (matches one character).Wildcards allows writing label
325					// selectors like
326					// ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches
327					// any key and value but
328					// does not match an empty label set.
329					"namespaceSelector"?: {
330						// matchExpressions is a list of label selector requirements. The
331						// requirements are ANDed.
332						"matchExpressions"?: [...{
333							// key is the label key that the selector applies to.
334							"key"!: string
335
336							// operator represents a key's relationship to a set of values.
337							// Valid operators are In, NotIn, Exists and DoesNotExist.
338							"operator"!: string
339
340							// values is an array of string values. If the operator is In or
341							// NotIn,
342							// the values array must be non-empty. If the operator is Exists
343							// or DoesNotExist,
344							// the values array must be empty. This array is replaced during a
345							// strategic
346							// merge patch.
347							"values"?: [...string]
348						}]
349
350						// matchLabels is a map of {key,value} pairs. A single {key,value}
351						// in the matchLabels
352						// map is equivalent to an element of matchExpressions, whose key
353						// field is "key", the
354						// operator is "In", and the values array contains only "value".
355						// The requirements are ANDed.
356						"matchLabels"?: {
357							[string]: string
358						}
359					}
360
361					// Namespaces is a list of namespaces names. Each name supports
362					// wildcard characters
363					// "*" (matches zero or many characters) and "?" (at least one
364					// character).
365					"namespaces"?: [...string]
366
367					// Operations can contain values ["CREATE, "UPDATE", "CONNECT",
368					// "DELETE"], which are used to match a specific action.
369					"operations"?: [..."CREATE" | "CONNECT" | "UPDATE" | "DELETE"]
370
371					// Selector is a label selector. Label keys and values in
372					// `matchLabels` support the wildcard
373					// characters `*` (matches zero or many characters) and `?`
374					// (matches one character).
375					// Wildcards allows writing label selectors like
376					// ["storage.k8s.io/*": "*"]. Note that
377					// using ["*" : "*"] matches any key and value but does not match
378					// an empty label set.
379					"selector"?: {
380						// matchExpressions is a list of label selector requirements. The
381						// requirements are ANDed.
382						"matchExpressions"?: [...{
383							// key is the label key that the selector applies to.
384							"key"!: string
385
386							// operator represents a key's relationship to a set of values.
387							// Valid operators are In, NotIn, Exists and DoesNotExist.
388							"operator"!: string
389
390							// values is an array of string values. If the operator is In or
391							// NotIn,
392							// the values array must be non-empty. If the operator is Exists
393							// or DoesNotExist,
394							// the values array must be empty. This array is replaced during a
395							// strategic
396							// merge patch.
397							"values"?: [...string]
398						}]
399
400						// matchLabels is a map of {key,value} pairs. A single {key,value}
401						// in the matchLabels
402						// map is equivalent to an element of matchExpressions, whose key
403						// field is "key", the
404						// operator is "In", and the values array contains only "value".
405						// The requirements are ANDed.
406						"matchLabels"?: {
407							[string]: string
408						}
409					}
410				}
411
412				// Roles is the list of namespaced role names for the user.
413				"roles"?: [...string]
414
415				// Subjects is the list of subject names like users, user groups,
416				// and service accounts.
417				"subjects"?: [...{
418					// APIGroup holds the API group of the referenced subject.
419					// Defaults to "" for ServiceAccount subjects.
420					// Defaults to "rbac.authorization.k8s.io" for User and Group
421					// subjects.
422					"apiGroup"?: string
423
424					// Kind of object being referenced. Values defined by this API
425					// group are "User", "Group", and "ServiceAccount".
426					// If the Authorizer does not recognized the kind value, the
427					// Authorizer should report an error.
428					"kind"!: string
429
430					// Name of the object being referenced.
431					"name"!: string
432
433					// Namespace of the referenced object. If the object kind is
434					// non-namespace, such as "User" or "Group", and this value is
435					// not empty
436					// the Authorizer should report an error.
437					"namespace"?: string
438				}]
439			}]
440		}
441
442		// PodSecurity specifies the Pod Security Standard controls to be
443		// excluded.
444		// Applicable only to policies that have validate.podSecurity
445		// subrule.
446		"podSecurity"?: [...{
447			// ControlName specifies the name of the Pod Security Standard
448			// control.
449			// See:
450			// https://kubernetes.io/docs/concepts/security/pod-security-standards/
451			"controlName"!: "HostProcess" | "Host Namespaces" | "Privileged Containers" | "Capabilities" | "HostPath Volumes" | "Host Ports" | "AppArmor" | "SELinux" | "/proc Mount Type" | "Seccomp" | "Sysctls" | "Volume Types" | "Privilege Escalation" | "Running as Non-root" | "Running as Non-root user"
452
453			// Images selects matching containers and applies the container
454			// level PSS.
455			// Each image is the image name consisting of the registry
456			// address, repository, image, and tag.
457			// Empty list matches no containers, PSS checks are applied at the
458			// pod level only.
459			// Wildcards ('*' and '?') are allowed. See:
460			// https://kubernetes.io/docs/concepts/containers/images.
461			"images"?: [...string]
462
463			// RestrictedField selects the field for the given Pod Security
464			// Standard control.
465			// When not set, all restricted fields for the control are
466			// selected.
467			"restrictedField"?: string
468
469			// Values defines the allowed values that can be excluded.
470			"values"?: [...string]
471		}]
472	}
473
474	_embeddedResource: {
475		"apiVersion"!: string
476		"kind"!:       string
477		"metadata"?: {
478			...
479		}
480	}
481	apiVersion: "kyverno.io/v2"
482	kind:       "PolicyException"
483	metadata!: {
484		"name"!:      string
485		"namespace"!: string
486		"labels"?: {
487			[string]: string
488		}
489		"annotations"?: {
490			[string]: string
491		}
492		...
493	}
494}