Skip to content

authz.kyverno.io/v1alpha1

Resource Types

AuthorizationServer

AuthorizationServer is a resource that represents a new kyverno authorization server.

Field Type Required Inline Description
apiVersion string ✅ authz.kyverno.io/v1alpha1
kind string ✅ AuthorizationServer
metadata meta/v1.ObjectMeta ✅ No description provided.
spec AuthorizationServerSpec ✅ No description provided.

AuthorizationServerPolicySource

Appears in:

AuthorizationServerPolicySource represents where the authorization server will get its policies from.

Field Type Required Inline Description
kubernetes KubernetesPolicySource ✅ No description provided.
fs FsPolicySource ✅ No description provided.
git GitPolicySource ✅ No description provided.
oci OciPolicySource ✅ No description provided.

AuthorizationServerSpec

Appears in:

AuthorizationServerSpec defines the spec of a authorization server.

Field Type Required Inline Description
type AuthorizationServerType ✅

Type defines the type of authorization server.
sources []AuthorizationServerPolicySource ✅

AuthorizationServerPolicySource contains all the sources of policies for the authorization server.

AuthorizationServerType

Appears in:

AuthorizationServerType defines the type of authorization server. Only one of the fields should be set at a time (mutually exclusive).

Field Type Required Inline Description
envoy EnvoyAuthorizationServer ✅

Envoy configures an Envoy-based authorization server.
http HTTPAuthorizationServer ✅

HTTP configures a custom HTTP authorization server.

EnvoyAuthorizationServer

Appears in:

EnvoyAuthorizationServer defines the Envoy authorization server configuration.

Field Type Required Inline Description
network string

Network is the network the server listens on.
address string ✅

Address is the network address the server listens on.

FsPolicySource

Appears in:

FsPolicySource defines the configuration for loading a policy from a local or mounted filesystem path.

Field Type Required Inline Description
path string ✅

Path specifies the filesystem location where the policy files are stored.

GitPolicySource

Appears in:

GitPolicySource defines the configuration for retrieving a policy from a Git repository.

Field Type Required Inline Description
url string ✅

URL specifies the Git repository location that contains the policy files or definitions. Supported formats typically include HTTPS or SSH Git URLs.

Group

(Alias of string)

Appears in:

Group refers to a Kubernetes Group. It must either be an empty string or a RFC 1123 subdomain.

This validation is based off of the corresponding Kubernetes validation: https://github.com/kubernetes/apimachinery/blob/02cfb53916346d085a6c6c7c66f882e3c6b0eca6/pkg/util/validation/validation.go#L208

Valid values include:

  • "" - empty string implies core Kubernetes API group
  • "authz.kyverno.io"
  • "policies.kyverno.io"

Invalid values include:

  • "example.com/bar" - "/" is an invalid character

HTTPAuthorizationServer

Appears in:

HTTPAuthorizationServer defines the HTTP authorization server configuration.

Field Type Required Inline Description
address string ✅

Address is the network address the server listens on.
nestedRequest bool ✅

Where to find the request to authenticate, the incoming request itself or the body of it
modifiers Modifiers ✅

Modifiers to apply to requests and responses.

Kind

(Alias of string)

Appears in:

Kind refers to a Kubernetes Kind.

Valid values include:

  • "Service"
  • "HTTPRoute"

Invalid values include:

  • "invalid/kind" - "/" is an invalid character

KubernetesPolicySource

Appears in:

KubernetesPolicySource defines a reference to a Kubernetes policy resource.

Field Type Required Inline Description
policyRef PolicyObjectReference ✅

PolicyRef is a reference to Kubernetes policy resources. When omitted, all ValidatingPolicy resources in the cluster are selected. When present, filters policies by name or selector.

Modifiers

Appears in:

Modifiers defines the request/response modifiers for the authorization server.

Field Type Required Inline Description
request string ✅

Request is a script or expression for modifying the incoming request.
response string ✅

Response is a script or expression for modifying the outgoing response.

ObjectName

(Alias of string)

Appears in:

ObjectName refers to the name of a Kubernetes object. Object names can have a variety of forms, including RFC 1123 subdomains, RFC 1123 labels, or RFC 1035 labels.

OciPolicySource

Appears in:

OciPolicySource defines the configuration for fetching policies from an OCI (Open Container Initiative) registry.

Field Type Required Inline Description
url string ✅

URL specifies the location of the OCI registry or image that contains the policy definitions.
allowInsecureRegistry bool ✅

AllowInsecureRegistry indicates whether connections to an insecure (HTTP or self-signed HTTPS) registry are permitted. This should generally be false in production environments to ensure secure communication.
imagePullSecrets []string ✅

ImagePullSecrets lists the names of Kubernetes secrets that contain credentials needed to authenticate with the OCI registry. These are typically referenced in Kubernetes to pull images from private registries.

PolicyObjectReference

Appears in:

PolicyObjectReference represents a reference to a policy resource.

Field Type Required Inline Description
group Group ✅

Group is the group of the referent. For example, "policies.kyverno.io". When unspecified or empty string, core API group is inferred.
kind Kind ✅

Kind is the kind of the referent. For example, "ValidatingPolicy".
name ObjectName ✅

Name is the name of the referent. Mutually exclusive with Selector.
selector meta/v1.LabelSelector ✅

Selector is a label selector to select the Kubernetes policy resource. Mutually exclusive with Name.