v1alpha1
Resource Types¶
AuthorizationPolicy¶
AuthorizationPolicy defines an authorization policy resource
Field | Type | Required | Inline | Description |
---|---|---|---|---|
apiVersion | string | envoy.kyverno.io/v1alpha1 | ||
kind | string | AuthorizationPolicy | ||
metadata | meta/v1.ObjectMeta | No description provided. | ||
spec | AuthorizationPolicySpec | No description provided. |
ValidatingPolicy¶
Field | Type | Required | Inline | Description |
---|---|---|---|---|
apiVersion | string | envoy.kyverno.io/v1alpha1 | ||
kind | string | ValidatingPolicy | ||
metadata | meta/v1.ObjectMeta | No description provided. | ||
spec | ValidatingPolicySpec | No description provided. | ||
status | ValidatingPolicyStatus | Status contains policy runtime data. |
AdmissionConfiguration¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
enabled | bool | Enabled controls if rules are applied during admission. Optional. Default value is "true". |
Authorization¶
Appears in:
Authorization defines an authorization policy rule
Field | Type | Required | Inline | Description |
---|---|---|---|---|
match | string | Match represents the match condition which will be evaluated by CEL. Must evaluate to bool. | ||
response | string | Response represents the response expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to CEL variables as well as some other useful variables: - 'object' - The object from the incoming request. (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkrequest) CEL expressions are expected to return an envoy CheckResponse (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto#service-auth-v3-checkresponse). |
AuthorizationPolicySpec¶
Appears in:
AuthorizationPolicySpec defines the spec of an authorization policy
Field | Type | Required | Inline | Description |
---|---|---|---|---|
failurePolicy | admissionregistration/v1.FailurePolicyType | FailurePolicy defines how to handle failures for the policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions. FailurePolicy does not define how validations that evaluate to false are handled. Allowed values are Ignore or Fail. Defaults to Fail. | ||
matchConditions | []admissionregistration/v1.MatchCondition | MatchConditions is a list of conditions that must be met for a request to be validated. An empty list of matchConditions matches all requests. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped | ||
variables | []admissionregistration/v1.Variable | Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under | ||
deny | []Authorization | Deny contain CEL expressions which is used to deny a request. | ||
allow | []Authorization | Allow contain CEL expressions which is used to allow a request. |
BackgroundConfiguration¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
enabled | bool | Enabled controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). |
ConditionStatus¶
Appears in:
ConditionStatus is the shared status across all policy types
Field | Type | Required | Inline | Description |
---|---|---|---|---|
ready | bool | The ready of a policy is a high-level summary of where the policy is in its lifecycle. The conditions array, the reason and message fields contain more detail about the policy's status. | ||
conditions | []meta/v1.Condition | No description provided. | ||
message | string | Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. |
EvaluationConfiguration¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
mode | EvaluationMode | Mode is the mode of policy evaluation. Allowed values are "Kubernetes" or "JSON". Optional. Default value is "Kubernetes". | ||
admission | AdmissionConfiguration | Admission controls policy evaluation during admission. | ||
background | BackgroundConfiguration | Background controls policy evaluation during background scan. |
EvaluationMode¶
(Alias of string
)
Appears in:
PodControllersGenerationConfiguration¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
controllers | []string | No description provided. |
Target¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
group | string | No description provided. | ||
version | string | No description provided. | ||
resource | string | No description provided. | ||
kind | string | No description provided. |
ValidatingPolicyAutogen¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
targets | []Target | No description provided. | ||
spec | ValidatingPolicySpec | No description provided. |
ValidatingPolicyAutogenConfiguration¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
podControllers | PodControllersGenerationConfiguration | PodControllers specifies whether to generate a pod controllers rules. | ||
validatingAdmissionPolicy | VapGenerationConfiguration | ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. |
ValidatingPolicyAutogenStatus¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
configs | map[string]ValidatingPolicyAutogen | No description provided. |
ValidatingPolicySpec¶
Appears in:
ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.
Field | Type | Required | Inline | Description |
---|---|---|---|---|
matchConstraints | admissionregistration/v1.MatchResources | MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required. | ||
validations | []admissionregistration/v1.Validation | Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required. | ||
failurePolicy | admissionregistration/v1.FailurePolicyType | failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. failurePolicy does not define how validations that evaluate to false are handled. When failurePolicy is set to Fail, the validationActions field define how failures are enforced. Allowed values are Ignore or Fail. Defaults to Fail. | ||
auditAnnotations | []admissionregistration/v1.AuditAnnotation | auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required. | ||
matchConditions | []admissionregistration/v1.MatchCondition | MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the | ||
variables | []admissionregistration/v1.Variable | Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under | ||
autogen | ValidatingPolicyAutogenConfiguration | AutogenConfiguration defines the configuration for the generation controller. | ||
validationActions | []admissionregistration/v1.ValidationAction | ValidationAction specifies the action to be taken when the matched resource violates the policy. Required. | ||
webhookConfiguration | WebhookConfiguration | WebhookConfiguration defines the configuration for the webhook. | ||
evaluation | EvaluationConfiguration | EvaluationConfiguration defines the configuration for the policy evaluation. |
ValidatingPolicyStatus¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
conditionStatus | ConditionStatus | No description provided. | ||
autogen | ValidatingPolicyAutogenStatus | No description provided. | ||
generated | bool | Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not |
VapGenerationConfiguration¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
enabled | bool | Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. Optional. Defaults to "false" if not specified. |
WebhookConfiguration¶
Appears in:
Field | Type | Required | Inline | Description |
---|---|---|---|---|
timeoutSeconds | int32 | TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. |