| Field | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
policies.kyverno.io/v1alpha1 |
||||||||||
kindstring |
DeletingPolicy |
||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||
spec
*
DeletingPolicySpec
|
|
||||||||||
status
DeletingPolicyStatus
|
Status contains policy runtime data. |
| Field | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
policies.kyverno.io/v1alpha1 |
||||||||||||
kindstring |
GeneratingPolicy |
||||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||
spec
*
GeneratingPolicySpec
|
|
||||||||||||
status
GeneratingPolicyStatus
|
Status contains policy runtime data. |
| Field | Description | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
policies.kyverno.io/v1alpha1 |
||||||||||||||||||||||||||||||||
kindstring |
ImageValidatingPolicy |
||||||||||||||||||||||||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||||||||||||||||||||||
spec
*
ImageValidatingPolicySpec
|
|
||||||||||||||||||||||||||||||||
status
ImageValidatingPolicyStatus
|
Status contains policy runtime data. |
| Field | Description | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
policies.kyverno.io/v1alpha1 |
||||||||||||||||||||
kindstring |
MutatingPolicy |
||||||||||||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||||||||||
spec
*
MutatingPolicySpec
|
|
||||||||||||||||||||
status
MutatingPolicyStatus
|
Status contains policy runtime data. |
PolicyException declares resources to be excluded from specified policies.
| Field | Description | ||||
|---|---|---|---|---|---|
apiVersionstring |
policies.kyverno.io/v1alpha1 |
||||
kindstring |
PolicyException |
||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||
spec
*
PolicyExceptionSpec
|
Spec declares policy exception behaviors.
|
| Field | Description | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersionstring |
policies.kyverno.io/v1alpha1 |
||||||||||||||||||||
kindstring |
ValidatingPolicy |
||||||||||||||||||||
metadata
*
meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||||||||||
spec
*
ValidatingPolicySpec
|
|
||||||||||||||||||||
status
ValidatingPolicyStatus
|
Status contains policy runtime data. |
(Appears in: EvaluationConfiguration, GeneratingPolicyEvaluationConfiguration, MutatingPolicyEvaluationConfiguration)
| Field | Description |
|---|---|
enabled
bool
|
Enabled controls if rules are applied during admission. Optional. Default value is "true". |
(Appears in: ImageValidatingPolicySpec)
Attestation defines the identification details of the metadata that has to be verified
| Field | Description |
|---|---|
name
*
string
|
Name is the name for this attestation. It is used to refer to the attestation in verification |
intoto
InToto
|
InToto defines the details of attestation attached using intoto format |
referrer
Referrer
|
Referrer defines the details of attestation attached using OCI 1.1 format |
(Appears in: ImageValidatingPolicySpec)
Attestor is an identity that confirms or verifies the authenticity of an image or an attestation
| Field | Description |
|---|---|
name
*
string
|
Name is the name for this attestor. It is used to refer to the attestor in verification |
cosign
Cosign
|
Cosign defines attestor configuration for Cosign based signatures |
notary
Notary
|
Notary defines attestor configuration for Notary based signatures |
(Appears in: EvaluationConfiguration)
| Field | Description |
|---|---|
enabled
bool
|
Enabled controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). |
(Appears in: Cosign)
CTLog sets the configuration to verify the authority against a Rekor instance.
| Field | Description |
|---|---|
url
string
|
URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) |
rekorPubKey
string
|
RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor. |
ctLogPubKey
string
|
CTLogPubKey, if set, is used to validate SCTs against a custom source. |
tsaCertChain
string
|
TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamurce. |
insecureIgnoreTlog
bool
|
InsecureIgnoreTlog skips transparency log verification. |
insecureIgnoreSCT
bool
|
IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing. |
(Appears in: Cosign)
Certificate defines the configuration for local signature verification
| Field | Description |
|---|---|
cert
StringOrExpression
|
Certificate is the to the public certificate for local signature verification. |
certChain
StringOrExpression
|
CertificateChain is the list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate |
(Appears in: DeletingPolicyStatus, GeneratingPolicyStatus, ImageValidatingPolicyStatus, MutatingPolicyStatus, ValidatingPolicyStatus)
ConditionStatus is the shared status across all policy types
| Field | Description |
|---|---|
ready
bool
|
The ready of a policy is a high-level summary of where the policy is in its lifecycle. The conditions array, the reason and message fields contain more detail about the policy's status. |
conditions
[]meta/v1.Condition
|
|
message
string
|
Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated. |
(Appears in: Attestor)
Cosign defines attestor configuration for Cosign based signatures
| Field | Description |
|---|---|
key
Key
|
Key defines the type of key to validate the image. |
keyless
Keyless
|
Keyless sets the configuration to verify the authority against a Fulcio instance. |
certificate
Certificate
|
Certificate defines the configuration for local signature verification |
source
Source
|
Sources sets the configuration to specify the sources from where to consume the signature and attestations. |
ctlog
CTLog
|
CTLog sets the configuration to verify the authority against a Rekor instance. |
tuf
TUF
|
TUF defines the configuration to fetch sigstore root |
annotations
map[string]string
|
Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs. |
(Appears in: ImageValidatingPolicySpec)
| Field | Description |
|---|---|
allowInsecureRegistry
bool
|
AllowInsecureRegistry allows insecure access to a registry. |
providers
[]CredentialsProvidersType
|
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github. |
secrets
[]string
|
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. |
string alias)(Appears in: Credentials)
CredentialsProvidersType provides the list of credential providers required.
(Appears in: DeletingPolicy)
DeletingPolicySpec is the specification of the desired behavior of the DeletingPolicy.
| Field | Description |
|---|---|
matchConstraints
*
admissionregistration/v1.MatchResources
|
MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required. |
conditions
[]admissionregistration/v1.MatchCondition
|
Conditions is a list of conditions that must be met for a resource to be deleted. Conditions filter resources that have already been matched by the match constraints, namespaceSelector, and objectSelector. An empty list of conditions matches all resources. There are a maximum of 64 conditions allowed. The exact matching logic is (in order):
|
variables
[]admissionregistration/v1.Variable
|
Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic. |
schedule
*
string
|
The schedule in Cron format Required. |
deletionPropagationPolicy
meta/v1.DeletionPropagation
|
DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan). |
(Appears in: DeletingPolicy)
| Field | Description |
|---|---|
conditionStatus
ConditionStatus
|
|
lastExecutionTime
*
meta/v1.Time
|
(Appears in: ImageValidatingPolicySpec, ValidatingPolicySpec)
| Field | Description |
|---|---|
mode
EvaluationMode
|
Mode is the mode of policy evaluation. Allowed values are "Kubernetes" or "JSON". Optional. Default value is "Kubernetes". |
admission
AdmissionConfiguration
|
Admission controls policy evaluation during admission. |
background
BackgroundConfiguration
|
Background controls policy evaluation during background scan. |
string alias)(Appears in: EvaluationConfiguration)
(Appears in: GeneratingPolicyEvaluationConfiguration)
GenerateExistingConfiguration defines the configuration for generating resources for existing triggers.
| Field | Description |
|---|---|
enabled
bool
|
Enabled controls whether to trigger the policy for existing resources If is set to "true" the policy will be triggered and applied to existing matched resources. Optional. Defaults to "false" if not specified. |
(Appears in: GeneratingPolicySpec)
| Field | Description |
|---|---|
admission
AdmissionConfiguration
|
Admission controls policy evaluation during admission. |
generateExisting
GenerateExistingConfiguration
|
GenerateExisting defines the configuration for generating resources for existing triggeres. |
synchronize
SynchronizationConfiguration
|
Synchronization defines the configuration for the synchronization of generated resources. |
orphanDownstreamOnPolicyDelete
*
OrphanDownstreamOnPolicyDeleteConfiguration
|
OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete. |
(Appears in: GeneratingPolicy)
GeneratingPolicySpec is the specification of the desired behavior of the GeneratingPolicy.
| Field | Description |
|---|---|
matchConstraints
*
admissionregistration/v1.MatchResources
|
MatchConstraints specifies what resources will trigger this policy. The AdmissionPolicy cares about a request if it matches all Constraints. Required. |
matchConditions
[]admissionregistration/v1.MatchCondition
|
MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the The exact matching logic is (in order):
|
variables
[]admissionregistration/v1.Variable
|
Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic. |
evaluation
GeneratingPolicyEvaluationConfiguration
|
EvaluationConfiguration defines the configuration for the policy evaluation. |
webhookConfiguration
WebhookConfiguration
|
WebhookConfiguration defines the configuration for the webhook. |
generate
*
[]Generation
|
Generation defines a set of CEL expressions that will be evaluated to generate resources. Required. |
(Appears in: GeneratingPolicy)
| Field | Description |
|---|---|
conditionStatus
ConditionStatus
|
(Appears in: GeneratingPolicySpec)
Generation defines the configuration for the generation of resources.
| Field | Description |
|---|---|
expression
*
string
|
Expression is a CEL expression that takes a list of resources to be generated. |
(Appears in: Keyless)
Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.
| Field | Description |
|---|---|
issuer
string
|
Issuer defines the issuer for this identity. |
subject
string
|
Subject defines the subject for this identity. |
issuerRegExp
string
|
IssuerRegExp specifies a regular expression to match the issuer for this identity. |
subjectRegExp
string
|
SubjectRegExp specifies a regular expression to match the subject for this identity. |
(Appears in: ImageValidatingPolicySpec)
| Field | Description |
|---|---|
name
*
string
|
Name is the name for this imageList. It is used to refer to the images in verification block as images. |
expression
*
string
|
Expression defines CEL expression to extract images from the resource. |
(Appears in: ImageValidatingPolicyAutogenStatus)
| Field | Description |
|---|---|
targets
*
[]Target
|
|
spec
*
ImageValidatingPolicySpec
|
|
(Appears in: ImageValidatingPolicySpec)
| Field | Description |
|---|---|
podControllers
*
PodControllersGenerationConfiguration
|
PodControllers specifies whether to generate a pod controllers rules. |
(Appears in: ImageValidatingPolicyStatus)
| Field | Description |
|---|---|
configs
*
map[string]ImageValidatingPolicyAutogen
|
(Appears in: ImageValidatingPolicy, ImageValidatingPolicyAutogen)
ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.
| Field | Description |
|---|---|
matchConstraints
admissionregistration/v1.MatchResources
|
MatchConstraints specifies what resources this policy is designed to validate. |
failurePolicy
admissionregistration/v1.FailurePolicyType
|
FailurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. |
auditAnnotations
[]admissionregistration/v1.AuditAnnotation
|
auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required. |
validationActions
*
[]admissionregistration/v1.ValidationAction
|
ValidationAction specifies the action to be taken when the matched resource violates the policy. Required. |
matchConditions
[]admissionregistration/v1.MatchCondition
|
MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. |
variables
[]admissionregistration/v1.Variable
|
Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. |
validationConfigurations
ValidationConfiguration
|
ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures. |
matchImageReferences
[]MatchImageReference
|
MatchImageReferences is a list of Glob and CELExpressions to match images. Any image that matches one of the rules is considered for validation Any image that does not match a rule is skipped, even when they are passed as arguments to image verification functions |
credentials
*
Credentials
|
Credentials provides credentials that will be used for authentication with registry. |
images
[]ImageExtractor
|
ImageExtractors is a list of CEL expression to extract images from the resource |
attestors
*
[]Attestor
|
Attestors provides a list of trusted authorities. |
attestations
[]Attestation
|
Attestations provides a list of image metadata to verify |
validations
*
[]admissionregistration/v1.Validation
|
Validations contain CEL expressions which is used to apply the image validation checks. |
webhookConfiguration
WebhookConfiguration
|
WebhookConfiguration defines the configuration for the webhook. |
evaluation
EvaluationConfiguration
|
EvaluationConfiguration defines the configuration for the policy evaluation. |
autogen
ImageValidatingPolicyAutogenConfiguration
|
AutogenConfiguration defines the configuration for the generation controller. |
(Appears in: ImageValidatingPolicy)
| Field | Description |
|---|---|
conditionStatus
ConditionStatus
|
|
autogen
ImageValidatingPolicyAutogenStatus
|
(Appears in: Attestation)
| Field | Description |
|---|---|
type
*
string
|
Type defines the type of attestation contained within the statement. |
(Appears in: Cosign)
A Key must specify only one of CEL, Data or KMS
| Field | Description |
|---|---|
data
string
|
Data contains the inline public key |
kms
string
|
KMS contains the KMS url of the public key Supported formats differ based on the KMS system used. |
hashAlgorithm
string
|
HashAlgorithm specifues signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512. Defaults to sha256. |
expression
string
|
Expression is a Expression expression that returns the public key. |
(Appears in: Cosign)
Keyless contains location of the validating certificate and the identities against which to verify.
| Field | Description |
|---|---|
identities
*
[]Identity
|
Identities sets a list of identities. |
roots
*
string
|
Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used. |
(Appears in: MutatingPolicyAutogenConfiguration)
| Field | Description |
|---|---|
enabled
*
bool
|
Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy. Optional. Defaults to "false" if not specified. |
(Appears in: ImageValidatingPolicySpec)
MatchImageReference defines a Glob or a CEL expression for matching images
| Field | Description |
|---|---|
glob
string
|
Glob defines a globbing pattern for matching images |
expression
string
|
Expression defines CEL Expressions for matching images |
(Appears in: MutatingPolicyEvaluationConfiguration)
| Field | Description |
|---|---|
enabled
bool
|
Enabled enables mutation of existing resources. Default is false. When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints. |
(Appears in: MutatingPolicyAutogenStatus)
| Field | Description |
|---|---|
targets
*
[]Target
|
|
spec
*
MutatingPolicySpec
|
|
(Appears in: MutatingPolicySpec)
| Field | Description |
|---|---|
podControllers
*
PodControllersGenerationConfiguration
|
PodControllers specifies whether to generate a pod controllers rules. |
mutatingAdmissionPolicy
*
MAPGenerationConfiguration
|
MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy. |
(Appears in: MutatingPolicyStatus)
| Field | Description |
|---|---|
configs
*
map[string]MutatingPolicyAutogen
|
(Appears in: MutatingPolicySpec)
| Field | Description |
|---|---|
admission
AdmissionConfiguration
|
Admission controls policy evaluation during admission. |
mutateExisting
MutateExistingConfiguration
|
MutateExisting controls whether existing resources are mutated. |
(Appears in: MutatingPolicy, MutatingPolicyAutogen)
MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.
| Field | Description |
|---|---|
matchConstraints
*
admissionregistration/v1alpha1.MatchResources
|
MatchConstraints specifies what resources this policy is designed to evaluate. The AdmissionPolicy cares about a request if it matches all Constraints. Required. |
failurePolicy
admissionregistration/v1alpha1.FailurePolicyType
|
failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. failurePolicy does not define how validations that evaluate to false are handled. When failurePolicy is set to Fail, the validationActions field define how failures are enforced. Allowed values are Ignore or Fail. Defaults to Fail. |
matchConditions
[]admissionregistration/v1alpha1.MatchCondition
|
MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the The exact matching logic is (in order):
|
variables
[]admissionregistration/v1alpha1.Variable
|
Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic. |
autogen
MutatingPolicyAutogenConfiguration
|
AutogenConfiguration defines the configuration for the generation controller. |
targetMatchConstraints
admissionregistration/v1alpha1.MatchResources
|
TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate. |
mutations
[]admissionregistration/v1alpha1.Mutation
|
mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis. |
webhookConfiguration
WebhookConfiguration
|
WebhookConfiguration defines the configuration for the webhook. |
evaluation
MutatingPolicyEvaluationConfiguration
|
EvaluationConfiguration defines the configuration for mutating policy evaluation. |
reinvocationPolicy
*
admissionregistration/v1alpha1.ReinvocationPolicyType
|
reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". Never: These mutations will not be called more than once per binding in a single admission evaluation. IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required. |
(Appears in: MutatingPolicy)
| Field | Description |
|---|---|
conditionStatus
ConditionStatus
|
|
autogen
MutatingPolicyAutogenStatus
|
|
generated
bool
|
Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not |
(Appears in: Attestor)
Notary defines attestor configuration for Notary based signatures
| Field | Description |
|---|---|
certs
StringOrExpression
|
Certs define the cert chain for Notary signature verification |
tsaCerts
StringOrExpression
|
TSACerts define the cert chain for verifying timestamps of notary signature |
(Appears in: GeneratingPolicyEvaluationConfiguration)
OrphanDownstreamOnPolicyDeleteConfiguration defines the configuration for orphaning downstream resources on policy delete.
| Field | Description |
|---|---|
enabled
bool
|
Enabled controls whether generated resources should be deleted when the policy that generated them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. Optional. Defaults to "false" if not specified. |
(Appears in: ImageValidatingPolicyAutogenConfiguration, MutatingPolicyAutogenConfiguration, ValidatingPolicyAutogenConfiguration)
| Field | Description |
|---|---|
controllers
*
[]string
|
(Appears in: PolicyException)
PolicyExceptionSpec stores policy exception spec
| Field | Description |
|---|---|
policyRefs
*
[]PolicyRef
|
PolicyRefs identifies the policies to which the exception is applied. |
matchConditions
[]admissionregistration/v1.MatchCondition
|
MatchConditions is a list of CEL expressions that must be met for a resource to be excluded. |
(Appears in: PolicyExceptionSpec)
| Field | Description |
|---|---|
name
*
string
|
Name is the name of the policy |
kind
*
string
|
Kind is the kind of the policy |
(Appears in: Attestation)
| Field | Description |
|---|---|
type
*
string
|
Type defines the type of attestation attached to the image. |
(Appears in: Cosign)
Source specifies the location of the signature / attestations.
| Field | Description |
|---|---|
repository
string
|
Repository defines the location from where to pull the signature / attestations. |
PullSecrets
[]core/v1.LocalObjectReference
|
SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source. |
tagPrefix
string
|
TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these. |
(Appears in: Certificate, Notary)
StringOrExpression contains either a raw string input or a CEL expression
| Field | Description |
|---|---|
value
string
|
Value defines the raw string input. |
expression
string
|
Expression defines the a CEL expression input. |
(Appears in: GeneratingPolicyEvaluationConfiguration)
SynchronizationConfiguration defines the configuration for the synchronization of generated resources.
| Field | Description |
|---|---|
enabled
bool
|
Enabled controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. |
(Appears in: Cosign)
TUF defines the configuration to fetch sigstore root
| Field | Description |
|---|---|
root
TUFRoot
|
Root defines the path or data of the trusted root |
mirror
string
|
Mirror is the base URL of Sigstore TUF repository |
(Appears in: TUF)
TUFRoot defines the path or data of the trusted root
| Field | Description |
|---|---|
path
string
|
Path is the URL or File location of the TUF root |
data
string
|
Data is the base64 encoded TUF root |
(Appears in: ImageValidatingPolicyAutogen, MutatingPolicyAutogen, ValidatingPolicyAutogen)
| Field | Description |
|---|---|
group
*
string
|
|
version
*
string
|
|
resource
*
string
|
|
kind
*
string
|
(Appears in: ValidatingPolicyAutogenStatus)
| Field | Description |
|---|---|
targets
*
[]Target
|
|
spec
*
ValidatingPolicySpec
|
|
(Appears in: ValidatingPolicySpec)
| Field | Description |
|---|---|
podControllers
*
PodControllersGenerationConfiguration
|
PodControllers specifies whether to generate a pod controllers rules. |
validatingAdmissionPolicy
*
VapGenerationConfiguration
|
ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. |
(Appears in: ValidatingPolicyStatus)
| Field | Description |
|---|---|
configs
*
map[string]ValidatingPolicyAutogen
|
(Appears in: ValidatingPolicy, ValidatingPolicyAutogen)
ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.
| Field | Description |
|---|---|
matchConstraints
*
admissionregistration/v1.MatchResources
|
MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required. |
validations
[]admissionregistration/v1.Validation
|
Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required. |
failurePolicy
admissionregistration/v1.FailurePolicyType
|
failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings. failurePolicy does not define how validations that evaluate to false are handled. When failurePolicy is set to Fail, the validationActions field define how failures are enforced. Allowed values are Ignore or Fail. Defaults to Fail. |
auditAnnotations
[]admissionregistration/v1.AuditAnnotation
|
auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required. |
matchConditions
[]admissionregistration/v1.MatchCondition
|
MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed. If a parameter object is provided, it can be accessed via the The exact matching logic is (in order):
|
variables
[]admissionregistration/v1.Variable
|
Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic. |
autogen
ValidatingPolicyAutogenConfiguration
|
AutogenConfiguration defines the configuration for the generation controller. |
validationActions
*
[]admissionregistration/v1.ValidationAction
|
ValidationAction specifies the action to be taken when the matched resource violates the policy. Required. |
webhookConfiguration
WebhookConfiguration
|
WebhookConfiguration defines the configuration for the webhook. |
evaluation
EvaluationConfiguration
|
EvaluationConfiguration defines the configuration for the policy evaluation. |
(Appears in: ValidatingPolicy)
| Field | Description |
|---|---|
conditionStatus
ConditionStatus
|
|
autogen
ValidatingPolicyAutogenStatus
|
|
generated
bool
|
Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not |
(Appears in: ImageValidatingPolicySpec)
| Field | Description |
|---|---|
mutateDigest
bool
|
MutateDigest enables replacement of image tags with digests. Defaults to true. |
verifyDigest
bool
|
VerifyDigest validates that images have a digest. |
required
bool
|
Required validates that images are verified, i.e., have passed a signature or attestation check. |
(Appears in: ValidatingPolicyAutogenConfiguration)
| Field | Description |
|---|---|
enabled
*
bool
|
Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. Optional. Defaults to "false" if not specified. |
(Appears in: GeneratingPolicySpec, ImageValidatingPolicySpec, MutatingPolicySpec, ValidatingPolicySpec)
| Field | Description |
|---|---|
timeoutSeconds
*
int32
|
TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. |