policies.kyverno.io/v1alpha1

Status contains policy runtime data.

Status contains policy runtime data.

Status contains policy runtime data.

Status contains policy runtime data.

Spec declares policy exception behaviors.

Status contains policy runtime data.

Enabled controls if rules are applied during admission. Optional. Default value is "true".

Name is the name for this attestation. It is used to refer to the attestation in verification

InToto defines the details of attestation attached using intoto format

Referrer defines the details of attestation attached using OCI 1.1 format

Name is the name for this attestor. It is used to refer to the attestor in verification

Cosign defines attestor configuration for Cosign based signatures

Notary defines attestor configuration for Notary based signatures

Enabled controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).

URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)

RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.

CTLogPubKey, if set, is used to validate SCTs against a custom source.

TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamurce.

InsecureIgnoreTlog skips transparency log verification.

IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.

Certificate is the to the public certificate for local signature verification.

CertificateChain is the list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate

The ready of a policy is a high-level summary of where the policy is in its lifecycle. The conditions array, the reason and message fields contain more detail about the policy's status.

Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.

Key defines the type of key to validate the image.

Keyless sets the configuration to verify the authority against a Fulcio instance.

Certificate defines the configuration for local signature verification

Sources sets the configuration to specify the sources from where to consume the signature and attestations.

CTLog sets the configuration to verify the authority against a Rekor instance.

TUF defines the configuration to fetch sigstore root

Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.

AllowInsecureRegistry allows insecure access to a registry.

Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.

Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.

MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

Conditions is a list of conditions that must be met for a resource to be deleted. Conditions filter resources that have already been matched by the match constraints, namespaceSelector, and objectSelector. An empty list of conditions matches all resources. There are a maximum of 64 conditions allowed. The exact matching logic is (in order): 1. If ANY condition evaluates to FALSE, the policy is skipped. 2. If ALL conditions evaluate to TRUE, the policy is executed.

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy. The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

The schedule in Cron format Required.

DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).

Mode is the mode of policy evaluation. Allowed values are "Kubernetes" or "JSON". Optional. Default value is "Kubernetes".

Admission controls policy evaluation during admission.

Background controls policy evaluation during background scan.

Enabled controls whether to trigger the policy for existing resources If is set to "true" the policy will be triggered and applied to existing matched resources. Optional. Defaults to "false" if not specified.

Admission controls policy evaluation during admission.

GenerateExisting defines the configuration for generating resources for existing triggeres.

Synchronization defines the configuration for the synchronization of generated resources.

OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.

MatchConstraints specifies what resources will trigger this policy. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy. The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

EvaluationConfiguration defines the configuration for the policy evaluation.

WebhookConfiguration defines the configuration for the webhook.

Generation defines a set of CEL expressions that will be evaluated to generate resources. Required.

Expression is a CEL expression that takes a list of resources to be generated.

Issuer defines the issuer for this identity.

Subject defines the subject for this identity.

IssuerRegExp specifies a regular expression to match the issuer for this identity.

SubjectRegExp specifies a regular expression to match the subject for this identity.

Name is the name for this imageList. It is used to refer to the images in verification block as images.

Expression defines CEL expression to extract images from the resource.

PodControllers specifies whether to generate a pod controllers rules.

MatchConstraints specifies what resources this policy is designed to validate.

FailurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

ValidationAction specifies the action to be taken when the matched resource violates the policy. Required.

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression.

ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.

MatchImageReferences is a list of Glob and CELExpressions to match images. Any image that matches one of the rules is considered for validation Any image that does not match a rule is skipped, even when they are passed as arguments to image verification functions

Credentials provides credentials that will be used for authentication with registry.

ImageExtractors is a list of CEL expression to extract images from the resource

Attestors provides a list of trusted authorities.

Attestations provides a list of image metadata to verify

Validations contain CEL expressions which is used to apply the image validation checks.

WebhookConfiguration defines the configuration for the webhook.

EvaluationConfiguration defines the configuration for the policy evaluation.

AutogenConfiguration defines the configuration for the generation controller.

Type defines the type of attestation contained within the statement.

Data contains the inline public key

KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.

HashAlgorithm specifues signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512. Defaults to sha256.

Expression is a Expression expression that returns the public key.

Identities sets a list of identities.

Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.

Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy. Optional. Defaults to "false" if not specified.

Glob defines a globbing pattern for matching images

Expression defines CEL Expressions for matching images

Enabled enables mutation of existing resources. Default is false. When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.

PodControllers specifies whether to generate a pod controllers rules.

MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.

Admission controls policy evaluation during admission.

MutateExisting controls whether existing resources are mutated.

MatchConstraints specifies what resources this policy is designed to evaluate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. failurePolicy does not define how validations that evaluate to false are handled. When failurePolicy is set to Fail, the validationActions field define how failures are enforced. Allowed values are Ignore or Fail. Defaults to Fail.

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy. The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

AutogenConfiguration defines the configuration for the generation controller.

TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.

mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.

WebhookConfiguration defines the configuration for the webhook.

EvaluationConfiguration defines the configuration for mutating policy evaluation.

reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". Never: These mutations will not be called more than once per binding in a single admission evaluation. IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.

Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not

Certs define the cert chain for Notary signature verification

TSACerts define the cert chain for verifying timestamps of notary signature

Enabled controls whether generated resources should be deleted when the policy that generated them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. Optional. Defaults to "false" if not specified.

PolicyRefs identifies the policies to which the exception is applied.

MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.

Images specifies container images to be excluded from policy evaluation. These excluded images can be referenced in CEL expressions via exceptions.allowedImages.

AllowedValues specifies values that can be used in CEL expressions to bypass policy checks. These values can be referenced in CEL expressions via exceptions.allowedValues.

Name is the name of the policy

Kind is the kind of the policy

Type defines the type of attestation attached to the image.

Repository defines the location from where to pull the signature / attestations.

SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.

TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these.

Value defines the raw string input.

Expression defines the a CEL expression input.

Enabled controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified.

Root defines the path or data of the trusted root

Mirror is the base URL of Sigstore TUF repository

Path is the URL or File location of the TUF root

Data is the base64 encoded TUF root

PodControllers specifies whether to generate a pod controllers rules.

ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.

MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.

failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. failurePolicy does not define how validations that evaluate to false are handled. When failurePolicy is set to Fail, the validationActions field define how failures are enforced. Allowed values are Ignore or Fail. Defaults to Fail.

auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions. The exact matching logic is (in order): 1. If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, the policy is skipped

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy. The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

AutogenConfiguration defines the configuration for the generation controller.

ValidationAction specifies the action to be taken when the matched resource violates the policy. Required.

WebhookConfiguration defines the configuration for the webhook.

EvaluationConfiguration defines the configuration for the policy evaluation.

Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not

MutateDigest enables replacement of image tags with digests. Defaults to true.

VerifyDigest validates that images have a digest.

Required validates that images are verified, i.e., have passed a signature or attestation check.

Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. Optional. Defaults to "false" if not specified.

TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.