v1alpha1

Resource Types¶

AuthorizationPolicy

AuthorizationPolicy¶

AuthorizationPolicy defines an authorization policy resource

Field	Type	Description
`apiVersion`	`string`	`envoy.kyverno.io/v1alpha1`
`kind`	`string`	`AuthorizationPolicy`
`metadata`	`meta/v1.ObjectMeta`	No description provided.
`spec`	`AuthorizationPolicySpec`	No description provided.

Authorization¶

Appears in:

AuthorizationPolicySpec

Authorization defines an authorization policy rule

Field	Type	Required	Inline	Description
`match`	`string`			Match represents the match condition which will be evaluated by CEL. Must evaluate to bool.
`response`	`string`			Response represents the response expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to CEL variables as well as some other useful variables: - 'object' - The object from the incoming request. (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkrequest) CEL expressions are expected to return an envoy CheckResponse (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkresponse).

AuthorizationPolicySpec¶

Appears in:

AuthorizationPolicy

AuthorizationPolicySpec defines the spec of an authorization policy

Field	Type	Description
`failurePolicy`	`admissionregistration/v1.FailurePolicyType`	FailurePolicy defines how to handle failures for the policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions. FailurePolicy does not define how validations that evaluate to false are handled. Allowed values are Ignore or Fail. Defaults to Fail.
`matchConditions`	`[]admissionregistration/v1.MatchCondition`	MatchConditions is a list of conditions that must be met for a request to be validated. An empty list of matchConditions matches all requests. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped
`variables`	`[]admissionregistration/v1.Variable`	Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy. The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.
`authorizations`	`[]Authorization`	Authorizations contain CEL expressions which is used to apply the authorization.