cue.dev/x/kyverno@v0.4.0

updaterequest/v2/schema.cue raw

  1package v2
  2
  3// UpdateRequest is a request to process mutate and generate rules
  4// in background.
  5#UpdateRequest: {
  6	_embeddedResource
  7
  8	// APIVersion defines the versioned schema of this representation
  9	// of an object.
 10	// Servers should convert recognized schemas to the latest
 11	// internal value, and
 12	// may reject unrecognized values.
 13	// More info:
 14	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 15	"apiVersion"?: string
 16
 17	// Kind is a string value representing the REST resource this
 18	// object represents.
 19	// Servers may infer this from the endpoint the client submits
 20	// requests to.
 21	// Cannot be updated.
 22	// In CamelCase.
 23	// More info:
 24	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 25	"kind"?: string
 26	"metadata"?: {}
 27
 28	// ResourceSpec is the information to identify the trigger
 29	// resource.
 30	"spec"?: {
 31		// Context represents admission request context.
 32		// It is used upon admission review only and is shared across
 33		// rules within the same UR.
 34		"context"!: {
 35			// AdmissionRequestInfoObject stores the admission request and
 36			// operation details
 37			"admissionRequestInfo"?: {
 38				// AdmissionRequest describes the admission.Attributes for the
 39				// admission request.
 40				"admissionRequest"?: {
 41					// DryRun indicates that modifications will definitely not be
 42					// persisted for this request.
 43					// Defaults to false.
 44					"dryRun"?: bool
 45
 46					// Kind is the fully-qualified type of object being submitted (for
 47					// example, v1.Pod or autoscaling.v1.Scale)
 48					"kind"!: {
 49						"group"!:   string
 50						"kind"!:    string
 51						"version"!: string
 52					}
 53
 54					// Name is the name of the object as presented in the request. On
 55					// a CREATE operation, the client may omit name and
 56					// rely on the server to generate the name. If that is the case,
 57					// this field will contain an empty string.
 58					"name"?: string
 59
 60					// Namespace is the namespace associated with the request (if
 61					// any).
 62					"namespace"?: string
 63
 64					// Object is the object from the incoming request.
 65					"object"?: {
 66						...
 67					}
 68
 69					// OldObject is the existing object. Only populated for DELETE and
 70					// UPDATE requests.
 71					"oldObject"?: {
 72						...
 73					}
 74
 75					// Operation is the operation being performed. This may be
 76					// different than the operation
 77					// requested. e.g. a patch can result in either a CREATE or UPDATE
 78					// Operation.
 79					"operation"!: string
 80
 81					// Options is the operation option structure of the operation
 82					// being performed.
 83					// e.g. `meta.k8s.io/v1.DeleteOptions` or
 84					// `meta.k8s.io/v1.CreateOptions`. This may be
 85					// different than the options the caller provided. e.g. for a
 86					// patch request the performed
 87					// Operation might be a CREATE, in which case the Options will a
 88					// `meta.k8s.io/v1.CreateOptions` even though the caller provided
 89					// `meta.k8s.io/v1.PatchOptions`.
 90					"options"?: {
 91						...
 92					}
 93
 94					// RequestKind is the fully-qualified type of the original API
 95					// request (for example, v1.Pod or autoscaling.v1.Scale).
 96					// If this is specified and differs from the value in "kind", an
 97					// equivalent match and conversion was performed.
 98					//
 99					// For example, if deployments can be modified via apps/v1 and
100					// apps/v1beta1, and a webhook registered a rule of
101					// `apiGroups:["apps"], apiVersions:["v1"], resources:
102					// ["deployments"]` and `matchPolicy: Equivalent`,
103					// an API request to apps/v1beta1 deployments would be converted
104					// and sent to the webhook
105					// with `kind: {group:"apps", version:"v1", kind:"Deployment"}`
106					// (matching the rule the webhook registered for),
107					// and `requestKind: {group:"apps", version:"v1beta1",
108					// kind:"Deployment"}` (indicating the kind of the original API
109					// request).
110					//
111					// See documentation for the "matchPolicy" field in the webhook
112					// configuration type for more details.
113					"requestKind"?: {
114						"group"!:   string
115						"kind"!:    string
116						"version"!: string
117					}
118
119					// RequestResource is the fully-qualified resource of the original
120					// API request (for example, v1.pods).
121					// If this is specified and differs from the value in "resource",
122					// an equivalent match and conversion was performed.
123					//
124					// For example, if deployments can be modified via apps/v1 and
125					// apps/v1beta1, and a webhook registered a rule of
126					// `apiGroups:["apps"], apiVersions:["v1"], resources:
127					// ["deployments"]` and `matchPolicy: Equivalent`,
128					// an API request to apps/v1beta1 deployments would be converted
129					// and sent to the webhook
130					// with `resource: {group:"apps", version:"v1",
131					// resource:"deployments"}` (matching the resource the webhook
132					// registered for),
133					// and `requestResource: {group:"apps", version:"v1beta1",
134					// resource:"deployments"}` (indicating the resource of the
135					// original API request).
136					//
137					// See documentation for the "matchPolicy" field in the webhook
138					// configuration type.
139					"requestResource"?: {
140						"group"!:    string
141						"resource"!: string
142						"version"!:  string
143					}
144
145					// RequestSubResource is the name of the subresource of the
146					// original API request, if any (for example, "status" or
147					// "scale")
148					// If this is specified and differs from the value in
149					// "subResource", an equivalent match and conversion was
150					// performed.
151					// See documentation for the "matchPolicy" field in the webhook
152					// configuration type.
153					"requestSubResource"?: string
154
155					// Resource is the fully-qualified resource being requested (for
156					// example, v1.pods)
157					"resource"!: {
158						"group"!:    string
159						"resource"!: string
160						"version"!:  string
161					}
162
163					// SubResource is the subresource being requested, if any (for
164					// example, "status" or "scale")
165					"subResource"?: string
166
167					// UID is an identifier for the individual request/response. It
168					// allows us to distinguish instances of requests which are
169					// otherwise identical (parallel requests, requests when earlier
170					// requests did not modify etc)
171					// The UID is meant to track the round trip (request/response)
172					// between the KAS and the WebHook, not the user request.
173					// It is suitable for correlating log entries between the webhook
174					// and apiserver, for either auditing or debugging.
175					"uid"!: string
176
177					// UserInfo is information about the requesting user
178					"userInfo"!: {
179						// Any additional information provided by the authenticator.
180						"extra"?: [string]: [...string]
181
182						// The names of groups this user is a part of.
183						"groups"?: [...string]
184
185						// A unique value that identifies this user across time. If this
186						// user is
187						// deleted and another user by the same name is added, they will
188						// have
189						// different UIDs.
190						"uid"?: string
191
192						// The name that uniquely identifies this user among all active
193						// users.
194						"username"?: string
195					}
196				}
197
198				// Operation is the type of resource operation being checked for
199				// admission control
200				"operation"?: string
201			}
202
203			// RequestInfo contains permission info carried in an admission
204			// request.
205			"userInfo"?: {
206				// ClusterRoles is a list of possible clusterRoles send the
207				// request.
208				"clusterRoles"?:
209					null | [...string]
210
211				// Roles is a list of possible role send the request.
212				"roles"?:
213					null | [...string]
214
215				// UserInfo is the userInfo carried in the admission request.
216				"userInfo"?: {
217					// Any additional information provided by the authenticator.
218					"extra"?: [string]: [...string]
219
220					// The names of groups this user is a part of.
221					"groups"?: [...string]
222
223					// A unique value that identifies this user across time. If this
224					// user is
225					// deleted and another user by the same name is added, they will
226					// have
227					// different UIDs.
228					"uid"?: string
229
230					// The name that uniquely identifies this user among all active
231					// users.
232					"username"?: string
233				}
234			}
235		}
236
237		// DeleteDownstream represents whether the downstream needs to be
238		// deleted.
239		// Deprecated
240		"deleteDownstream"!: bool
241
242		// Specifies the name of the policy.
243		"policy"!: string
244
245		// Type represents request type for background processing
246		"requestType"?: "mutate" | "generate"
247
248		// ResourceSpec is the information to identify the trigger
249		// resource.
250		"resource"!: {
251			// APIVersion specifies resource apiVersion.
252			"apiVersion"?: string
253
254			// Kind specifies resource kind.
255			"kind"?: string
256
257			// Name specifies the resource name.
258			"name"?: string
259
260			// Namespace specifies resource namespace.
261			"namespace"?: string
262
263			// UID specifies the resource uid.
264			"uid"?: string
265		}
266
267		// Rule is the associate rule name of the current UR.
268		"rule"!: string
269
270		// RuleContext is the associate context to apply rules.
271		// optional
272		"ruleContext"?: [...{
273			// DeleteDownstream represents whether the downstream needs to be
274			// deleted.
275			"deleteDownstream"!: bool
276
277			// Rule is the associate rule name of the current UR.
278			"rule"!: string
279
280			// Synchronize represents the sync behavior of the corresponding
281			// rule
282			// Optional. Defaults to "false" if not specified.
283			"synchronize"?: bool
284
285			// ResourceSpec is the information to identify the trigger
286			// resource.
287			"trigger"!: {
288				// APIVersion specifies resource apiVersion.
289				"apiVersion"?: string
290
291				// Kind specifies resource kind.
292				"kind"?: string
293
294				// Name specifies the resource name.
295				"name"?: string
296
297				// Namespace specifies resource namespace.
298				"namespace"?: string
299
300				// UID specifies the resource uid.
301				"uid"?: string
302			}
303		}]
304
305		// Synchronize represents the sync behavior of the corresponding
306		// rule
307		// Optional. Defaults to "false" if not specified.
308		// Deprecated, will be removed in 1.14.
309		"synchronize"?: bool
310	}
311
312	// Status contains statistics related to update request.
313	"status"?: {
314		// This will track the resources that are updated by the generate
315		// Policy.
316		// Will be used during clean up resources.
317		"generatedResources"?: [...{
318			// APIVersion specifies resource apiVersion.
319			"apiVersion"?: string
320
321			// Kind specifies resource kind.
322			"kind"?: string
323
324			// Name specifies the resource name.
325			"name"?: string
326
327			// Namespace specifies resource namespace.
328			"namespace"?: string
329
330			// UID specifies the resource uid.
331			"uid"?: string
332		}]
333
334		// Specifies request status message.
335		"message"?:    string
336		"retryCount"?: int
337
338		// State represents state of the update request.
339		"state"!: string
340	}
341
342	_embeddedResource: {
343		"apiVersion"!: string
344		"kind"!:       string
345		"metadata"?: {
346			...
347		}
348	}
349	apiVersion: "kyverno.io/v2"
350	kind:       "UpdateRequest"
351	metadata!: {
352		"name"!:      string
353		"namespace"!: string
354		"labels"?: {
355			[string]: string
356		}
357		"annotations"?: {
358			[string]: string
359		}
360		...
361	}
362}