Skip to content

v1alpha1

Resource Types

AuthorizationPolicy

AuthorizationPolicy defines an authorization policy resource

Field Type Required Inline Description
apiVersion string ✅ envoy.kyverno.io/v1alpha1
kind string ✅ AuthorizationPolicy
metadata meta/v1.ObjectMeta ✅ No description provided.
spec AuthorizationPolicySpec ✅ No description provided.

ValidatingPolicy

Field Type Required Inline Description
apiVersion string ✅ envoy.kyverno.io/v1alpha1
kind string ✅ ValidatingPolicy
metadata meta/v1.ObjectMeta ✅ No description provided.
spec ValidatingPolicySpec ✅ No description provided.
status ValidatingPolicyStatus

Status contains policy runtime data.

AdmissionConfiguration

Appears in:

Field Type Required Inline Description
enabled bool

Enabled controls if rules are applied during admission. Optional. Default value is "true".

Authorization

Appears in:

Authorization defines an authorization policy rule

Field Type Required Inline Description
match string

Match represents the match condition which will be evaluated by CEL. Must evaluate to bool.

response string ✅

Response represents the response expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to CEL variables as well as some other useful variables: - 'object' - The object from the incoming request. (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkrequest) CEL expressions are expected to return an envoy CheckResponse (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkresponse).

AuthorizationPolicySpec

Appears in:

AuthorizationPolicySpec defines the spec of an authorization policy

Field Type Required Inline Description
failurePolicy admissionregistration/v1.FailurePolicyType

FailurePolicy defines how to handle failures for the policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions. FailurePolicy does not define how validations that evaluate to false are handled. Allowed values are Ignore or Fail. Defaults to Fail.

matchConditions []admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. An empty list of matchConditions matches all requests. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped

variables []admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy. The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

deny []Authorization

Deny contain CEL expressions which is used to deny a request.

allow []Authorization

Allow contain CEL expressions which is used to allow a request.

BackgroundConfiguration

Appears in:

Field Type Required Inline Description
enabled bool

Enabled controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).

ConditionStatus

Appears in:

ConditionStatus is the shared status across all policy types

Field Type Required Inline Description
ready bool

The ready of a policy is a high-level summary of where the policy is in its lifecycle. The conditions array, the reason and message fields contain more detail about the policy's status.

conditions []meta/v1.Condition No description provided.
message string

Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.

EvaluationConfiguration

Appears in:

Field Type Required Inline Description
mode EvaluationMode

Mode is the mode of policy evaluation. Allowed values are "Kubernetes" or "JSON". Optional. Default value is "Kubernetes".

admission AdmissionConfiguration

Admission controls policy evaluation during admission.

background BackgroundConfiguration

Background controls policy evaluation during background scan.

EvaluationMode

(Alias of string)

Appears in:

PodControllersGenerationConfiguration

Appears in:

Field Type Required Inline Description
controllers []string ✅ No description provided.

Target

Appears in:

Field Type Required Inline Description
group string ✅ No description provided.
version string ✅ No description provided.
resource string ✅ No description provided.
kind string ✅ No description provided.

ValidatingPolicyAutogen

Appears in:

Field Type Required Inline Description
targets []Target ✅ No description provided.
spec ValidatingPolicySpec ✅ No description provided.

ValidatingPolicyAutogenConfiguration

Appears in:

Field Type Required Inline Description
podControllers PodControllersGenerationConfiguration ✅

PodControllers specifies whether to generate a pod controllers rules.

validatingAdmissionPolicy VapGenerationConfiguration ✅

ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.

ValidatingPolicyAutogenStatus

Appears in:

Field Type Required Inline Description
configs map[string]ValidatingPolicyAutogen ✅ No description provided.

ValidatingPolicySpec

Appears in:

ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.

Field Type Required Inline Description
matchConstraints admissionregistration/v1.MatchResources ✅

MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

validations []admissionregistration/v1.Validation

Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.

failurePolicy admissionregistration/v1.FailurePolicyType

failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. failurePolicy does not define how validations that evaluate to false are handled. When failurePolicy is set to Fail, the validationActions field define how failures are enforced. Allowed values are Ignore or Fail. Defaults to Fail.

auditAnnotations []admissionregistration/v1.AuditAnnotation

auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

matchConditions []admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped

variables []admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy. The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

autogen ValidatingPolicyAutogenConfiguration

AutogenConfiguration defines the configuration for the generation controller.

validationActions []admissionregistration/v1.ValidationAction ✅

ValidationAction specifies the action to be taken when the matched resource violates the policy. Required.

webhookConfiguration WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

evaluation EvaluationConfiguration

EvaluationConfiguration defines the configuration for the policy evaluation.

ValidatingPolicyStatus

Appears in:

Field Type Required Inline Description
conditionStatus ConditionStatus No description provided.
autogen ValidatingPolicyAutogenStatus No description provided.
generated bool

Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not

VapGenerationConfiguration

Appears in:

Field Type Required Inline Description
enabled bool ✅

Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. Optional. Defaults to "false" if not specified.

WebhookConfiguration

Appears in:

Field Type Required Inline Description
timeoutSeconds int32 ✅

TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.