Package: policies.kyverno.io/v1alpha1

Resource Types:

DeletingPolicy

Field Description
apiVersion
string
policies.kyverno.io/v1alpha1
kind
string
DeletingPolicy
metadata *
meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec *
DeletingPolicySpec


matchConstraints *
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

conditions
[]admissionregistration/v1.MatchCondition

Conditions is a list of conditions that must be met for a resource to be deleted. Conditions filter resources that have already been matched by the match constraints, namespaceSelector, and objectSelector. An empty list of conditions matches all resources. There are a maximum of 64 conditions allowed.

The exact matching logic is (in order):

  1. If ANY condition evaluates to FALSE, the policy is skipped.
  2. If ALL conditions evaluate to TRUE, the policy is executed.
variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

schedule *
string

The schedule in Cron format Required.

deletionPropagationPolicy
meta/v1.DeletionPropagation

DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).

status
DeletingPolicyStatus

Status contains policy runtime data.

GeneratingPolicy

Field Description
apiVersion
string
policies.kyverno.io/v1alpha1
kind
string
GeneratingPolicy
metadata *
meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec *
GeneratingPolicySpec


matchConstraints *
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources will trigger this policy. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

The exact matching logic is (in order):

  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
  3. If any matchCondition evaluates to an error (but none are FALSE):
    • If failurePolicy=Fail, reject the request
    • If failurePolicy=Ignore, the policy is skipped
variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

evaluation
GeneratingPolicyEvaluationConfiguration

EvaluationConfiguration defines the configuration for the policy evaluation.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

generate *
[]Generation

Generation defines a set of CEL expressions that will be evaluated to generate resources. Required.

status
GeneratingPolicyStatus

Status contains policy runtime data.

ImageValidatingPolicy

Field Description
apiVersion
string
policies.kyverno.io/v1alpha1
kind
string
ImageValidatingPolicy
metadata *
meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec *
ImageValidatingPolicySpec


matchConstraints
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources this policy is designed to validate.

failurePolicy
admissionregistration/v1.FailurePolicyType

FailurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

auditAnnotations
[]admissionregistration/v1.AuditAnnotation

auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

validationActions *
[]admissionregistration/v1.ValidationAction

ValidationAction specifies the action to be taken when the matched resource violates the policy. Required.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression.

validationConfigurations
ValidationConfiguration

ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.

matchImageReferences
[]MatchImageReference

MatchImageReferences is a list of Glob and CELExpressions to match images. Any image that matches one of the rules is considered for validation Any image that does not match a rule is skipped, even when they are passed as arguments to image verification functions

credentials *
Credentials

Credentials provides credentials that will be used for authentication with registry.

images
[]ImageExtractor

ImageExtractors is a list of CEL expression to extract images from the resource

attestors *
[]Attestor

Attestors provides a list of trusted authorities.

attestations
[]Attestation

Attestations provides a list of image metadata to verify

validations *
[]admissionregistration/v1.Validation

Validations contain CEL expressions which is used to apply the image validation checks.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

evaluation
EvaluationConfiguration

EvaluationConfiguration defines the configuration for the policy evaluation.

autogen
ImageValidatingPolicyAutogenConfiguration

AutogenConfiguration defines the configuration for the generation controller.

status
ImageValidatingPolicyStatus

Status contains policy runtime data.

MutatingPolicy

Field Description
apiVersion
string
policies.kyverno.io/v1alpha1
kind
string
MutatingPolicy
metadata *
meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec *
MutatingPolicySpec


matchConstraints *
admissionregistration/v1alpha1.MatchResources

MatchConstraints specifies what resources this policy is designed to evaluate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

failurePolicy
admissionregistration/v1alpha1.FailurePolicyType

failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

failurePolicy does not define how validations that evaluate to false are handled.

When failurePolicy is set to Fail, the validationActions field define how failures are enforced.

Allowed values are Ignore or Fail. Defaults to Fail.

matchConditions
[]admissionregistration/v1alpha1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

The exact matching logic is (in order):

  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
  3. If any matchCondition evaluates to an error (but none are FALSE):
    • If failurePolicy=Fail, reject the request
    • If failurePolicy=Ignore, the policy is skipped
variables
[]admissionregistration/v1alpha1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

autogen
MutatingPolicyAutogenConfiguration

AutogenConfiguration defines the configuration for the generation controller.

targetMatchConstraints
admissionregistration/v1alpha1.MatchResources

TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.

mutations
[]admissionregistration/v1alpha1.Mutation

mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

evaluation
MutatingPolicyEvaluationConfiguration

EvaluationConfiguration defines the configuration for mutating policy evaluation.

reinvocationPolicy *
admissionregistration/v1alpha1.ReinvocationPolicyType

reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".

Never: These mutations will not be called more than once per binding in a single admission evaluation.

IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.

status
MutatingPolicyStatus

Status contains policy runtime data.

PolicyException

PolicyException declares resources to be excluded from specified policies.

Field Description
apiVersion
string
policies.kyverno.io/v1alpha1
kind
string
PolicyException
metadata *
meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec *
PolicyExceptionSpec

Spec declares policy exception behaviors.



policyRefs *
[]PolicyRef

PolicyRefs identifies the policies to which the exception is applied.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.

ValidatingPolicy

Field Description
apiVersion
string
policies.kyverno.io/v1alpha1
kind
string
ValidatingPolicy
metadata *
meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec *
ValidatingPolicySpec


matchConstraints *
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

validations
[]admissionregistration/v1.Validation

Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.

failurePolicy
admissionregistration/v1.FailurePolicyType

failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

failurePolicy does not define how validations that evaluate to false are handled.

When failurePolicy is set to Fail, the validationActions field define how failures are enforced.

Allowed values are Ignore or Fail. Defaults to Fail.

auditAnnotations
[]admissionregistration/v1.AuditAnnotation

auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

The exact matching logic is (in order):

  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
  3. If any matchCondition evaluates to an error (but none are FALSE):
    • If failurePolicy=Fail, reject the request
    • If failurePolicy=Ignore, the policy is skipped
variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

autogen
ValidatingPolicyAutogenConfiguration

AutogenConfiguration defines the configuration for the generation controller.

validationActions *
[]admissionregistration/v1.ValidationAction

ValidationAction specifies the action to be taken when the matched resource violates the policy. Required.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

evaluation
EvaluationConfiguration

EvaluationConfiguration defines the configuration for the policy evaluation.

status
ValidatingPolicyStatus

Status contains policy runtime data.

AdmissionConfiguration

(Appears in: EvaluationConfiguration, GeneratingPolicyEvaluationConfiguration, MutatingPolicyEvaluationConfiguration)

Field Description
enabled
bool

Enabled controls if rules are applied during admission. Optional. Default value is "true".

Attestation

(Appears in: ImageValidatingPolicySpec)

Attestation defines the identification details of the metadata that has to be verified

Field Description
name *
string

Name is the name for this attestation. It is used to refer to the attestation in verification

intoto
InToto

InToto defines the details of attestation attached using intoto format

referrer
Referrer

Referrer defines the details of attestation attached using OCI 1.1 format

Attestor

(Appears in: ImageValidatingPolicySpec)

Attestor is an identity that confirms or verifies the authenticity of an image or an attestation

Field Description
name *
string

Name is the name for this attestor. It is used to refer to the attestor in verification

cosign
Cosign

Cosign defines attestor configuration for Cosign based signatures

notary
Notary

Notary defines attestor configuration for Notary based signatures

BackgroundConfiguration

(Appears in: EvaluationConfiguration)

Field Description
enabled
bool

Enabled controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).

CTLog

(Appears in: Cosign)

CTLog sets the configuration to verify the authority against a Rekor instance.

Field Description
url
string

URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)

rekorPubKey
string

RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. If set, this will be used to validate transparency log signatures from a custom Rekor.

ctLogPubKey
string

CTLogPubKey, if set, is used to validate SCTs against a custom source.

tsaCertChain
string

TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamurce.

insecureIgnoreTlog
bool

InsecureIgnoreTlog skips transparency log verification.

insecureIgnoreSCT
bool

IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate timestamp. Default is false. Set to true if this was opted out during signing.

Certificate

(Appears in: Cosign)

Certificate defines the configuration for local signature verification

Field Description
cert
StringOrExpression

Certificate is the to the public certificate for local signature verification.

certChain
StringOrExpression

CertificateChain is the list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate

ConditionStatus

(Appears in: DeletingPolicyStatus, GeneratingPolicyStatus, ImageValidatingPolicyStatus, MutatingPolicyStatus, ValidatingPolicyStatus)

ConditionStatus is the shared status across all policy types

Field Description
ready
bool

The ready of a policy is a high-level summary of where the policy is in its lifecycle. The conditions array, the reason and message fields contain more detail about the policy's status.

conditions
[]meta/v1.Condition
message
string

Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.

Cosign

(Appears in: Attestor)

Cosign defines attestor configuration for Cosign based signatures

Field Description
key
Key

Key defines the type of key to validate the image.

keyless
Keyless

Keyless sets the configuration to verify the authority against a Fulcio instance.

certificate
Certificate

Certificate defines the configuration for local signature verification

source
Source

Sources sets the configuration to specify the sources from where to consume the signature and attestations.

ctlog
CTLog

CTLog sets the configuration to verify the authority against a Rekor instance.

tuf
TUF

TUF defines the configuration to fetch sigstore root

annotations
map[string]string

Annotations are used for image verification. Every specified key-value pair must exist and match in the verified payload. The payload may contain other key-value pairs.

Credentials

(Appears in: ImageValidatingPolicySpec)

Field Description
allowInsecureRegistry
bool

AllowInsecureRegistry allows insecure access to a registry.

providers
[]CredentialsProvidersType

Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.

secrets
[]string

Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.

CredentialsProvidersType (string alias)

(Appears in: Credentials)

CredentialsProvidersType provides the list of credential providers required.

DeletingPolicySpec

(Appears in: DeletingPolicy)

DeletingPolicySpec is the specification of the desired behavior of the DeletingPolicy.

Field Description
matchConstraints *
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

conditions
[]admissionregistration/v1.MatchCondition

Conditions is a list of conditions that must be met for a resource to be deleted. Conditions filter resources that have already been matched by the match constraints, namespaceSelector, and objectSelector. An empty list of conditions matches all resources. There are a maximum of 64 conditions allowed.

The exact matching logic is (in order):

  1. If ANY condition evaluates to FALSE, the policy is skipped.
  2. If ALL conditions evaluate to TRUE, the policy is executed.
variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

schedule *
string

The schedule in Cron format Required.

deletionPropagationPolicy
meta/v1.DeletionPropagation

DeletionPropagationPolicy defines how resources will be deleted (Foreground, Background, Orphan).

DeletingPolicyStatus

(Appears in: DeletingPolicy)

Field Description
conditionStatus
ConditionStatus
lastExecutionTime *
meta/v1.Time

EvaluationConfiguration

(Appears in: ImageValidatingPolicySpec, ValidatingPolicySpec)

Field Description
mode
EvaluationMode

Mode is the mode of policy evaluation. Allowed values are "Kubernetes" or "JSON". Optional. Default value is "Kubernetes".

admission
AdmissionConfiguration

Admission controls policy evaluation during admission.

background
BackgroundConfiguration

Background controls policy evaluation during background scan.

EvaluationMode (string alias)

(Appears in: EvaluationConfiguration)

GenerateExistingConfiguration

(Appears in: GeneratingPolicyEvaluationConfiguration)

GenerateExistingConfiguration defines the configuration for generating resources for existing triggers.

Field Description
enabled
bool

Enabled controls whether to trigger the policy for existing resources If is set to "true" the policy will be triggered and applied to existing matched resources. Optional. Defaults to "false" if not specified.

GeneratingPolicyEvaluationConfiguration

(Appears in: GeneratingPolicySpec)

Field Description
admission
AdmissionConfiguration

Admission controls policy evaluation during admission.

generateExisting
GenerateExistingConfiguration

GenerateExisting defines the configuration for generating resources for existing triggeres.

synchronize
SynchronizationConfiguration

Synchronization defines the configuration for the synchronization of generated resources.

orphanDownstreamOnPolicyDelete *
OrphanDownstreamOnPolicyDeleteConfiguration

OrphanDownstreamOnPolicyDelete defines the configuration for orphaning downstream resources on policy delete.

GeneratingPolicySpec

(Appears in: GeneratingPolicy)

GeneratingPolicySpec is the specification of the desired behavior of the GeneratingPolicy.

Field Description
matchConstraints *
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources will trigger this policy. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

The exact matching logic is (in order):

  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
  3. If any matchCondition evaluates to an error (but none are FALSE):
    • If failurePolicy=Fail, reject the request
    • If failurePolicy=Ignore, the policy is skipped
variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

evaluation
GeneratingPolicyEvaluationConfiguration

EvaluationConfiguration defines the configuration for the policy evaluation.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

generate *
[]Generation

Generation defines a set of CEL expressions that will be evaluated to generate resources. Required.

GeneratingPolicyStatus

(Appears in: GeneratingPolicy)

Field Description
conditionStatus
ConditionStatus

Generation

(Appears in: GeneratingPolicySpec)

Generation defines the configuration for the generation of resources.

Field Description
expression *
string

Expression is a CEL expression that takes a list of resources to be generated.

Identity

(Appears in: Keyless)

Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.

Field Description
issuer
string

Issuer defines the issuer for this identity.

subject
string

Subject defines the subject for this identity.

issuerRegExp
string

IssuerRegExp specifies a regular expression to match the issuer for this identity.

subjectRegExp
string

SubjectRegExp specifies a regular expression to match the subject for this identity.

ImageExtractor

(Appears in: ImageValidatingPolicySpec)

Field Description
name *
string

Name is the name for this imageList. It is used to refer to the images in verification block as images.

expression *
string

Expression defines CEL expression to extract images from the resource.

ImageValidatingPolicyAutogen

(Appears in: ImageValidatingPolicyAutogenStatus)

Field Description
targets *
[]Target
spec *
ImageValidatingPolicySpec


ImageValidatingPolicyAutogenConfiguration

(Appears in: ImageValidatingPolicySpec)

Field Description
podControllers *
PodControllersGenerationConfiguration

PodControllers specifies whether to generate a pod controllers rules.

ImageValidatingPolicyAutogenStatus

(Appears in: ImageValidatingPolicyStatus)

Field Description
configs *
map[string]ImageValidatingPolicyAutogen

ImageValidatingPolicySpec

(Appears in: ImageValidatingPolicy, ImageValidatingPolicyAutogen)

ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.

Field Description
matchConstraints
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources this policy is designed to validate.

failurePolicy
admissionregistration/v1.FailurePolicyType

FailurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

auditAnnotations
[]admissionregistration/v1.AuditAnnotation

auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

validationActions *
[]admissionregistration/v1.ValidationAction

ValidationAction specifies the action to be taken when the matched resource violates the policy. Required.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression.

validationConfigurations
ValidationConfiguration

ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.

matchImageReferences
[]MatchImageReference

MatchImageReferences is a list of Glob and CELExpressions to match images. Any image that matches one of the rules is considered for validation Any image that does not match a rule is skipped, even when they are passed as arguments to image verification functions

credentials *
Credentials

Credentials provides credentials that will be used for authentication with registry.

images
[]ImageExtractor

ImageExtractors is a list of CEL expression to extract images from the resource

attestors *
[]Attestor

Attestors provides a list of trusted authorities.

attestations
[]Attestation

Attestations provides a list of image metadata to verify

validations *
[]admissionregistration/v1.Validation

Validations contain CEL expressions which is used to apply the image validation checks.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

evaluation
EvaluationConfiguration

EvaluationConfiguration defines the configuration for the policy evaluation.

autogen
ImageValidatingPolicyAutogenConfiguration

AutogenConfiguration defines the configuration for the generation controller.

ImageValidatingPolicyStatus

(Appears in: ImageValidatingPolicy)

Field Description
conditionStatus
ConditionStatus
autogen
ImageValidatingPolicyAutogenStatus

InToto

(Appears in: Attestation)

Field Description
type *
string

Type defines the type of attestation contained within the statement.

Key

(Appears in: Cosign)

A Key must specify only one of CEL, Data or KMS

Field Description
data
string

Data contains the inline public key

kms
string

KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.

hashAlgorithm
string

HashAlgorithm specifues signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512. Defaults to sha256.

expression
string

Expression is a Expression expression that returns the public key.

Keyless

(Appears in: Cosign)

Keyless contains location of the validating certificate and the identities against which to verify.

Field Description
identities *
[]Identity

Identities sets a list of identities.

roots *
string

Roots is an optional set of PEM encoded trusted root certificates. If not provided, the system roots are used.

MAPGenerationConfiguration

(Appears in: MutatingPolicyAutogenConfiguration)

Field Description
enabled *
bool

Enabled specifies whether to generate a Kubernetes MutatingAdmissionPolicy. Optional. Defaults to "false" if not specified.

MatchImageReference

(Appears in: ImageValidatingPolicySpec)

MatchImageReference defines a Glob or a CEL expression for matching images

Field Description
glob
string

Glob defines a globbing pattern for matching images

expression
string

Expression defines CEL Expressions for matching images

MutateExistingConfiguration

(Appears in: MutatingPolicyEvaluationConfiguration)

Field Description
enabled
bool

Enabled enables mutation of existing resources. Default is false. When spec.targetMatchConstraints is not defined, Kyverno mutates existing resources matched in spec.matchConstraints.

MutatingPolicyAutogen

(Appears in: MutatingPolicyAutogenStatus)

Field Description
targets *
[]Target
spec *
MutatingPolicySpec


MutatingPolicyAutogenConfiguration

(Appears in: MutatingPolicySpec)

Field Description
podControllers *
PodControllersGenerationConfiguration

PodControllers specifies whether to generate a pod controllers rules.

mutatingAdmissionPolicy *
MAPGenerationConfiguration

MutatingAdmissionPolicy specifies whether to generate a Kubernetes MutatingAdmissionPolicy.

MutatingPolicyAutogenStatus

(Appears in: MutatingPolicyStatus)

Field Description
configs *
map[string]MutatingPolicyAutogen

MutatingPolicyEvaluationConfiguration

(Appears in: MutatingPolicySpec)

Field Description
admission
AdmissionConfiguration

Admission controls policy evaluation during admission.

mutateExisting
MutateExistingConfiguration

MutateExisting controls whether existing resources are mutated.

MutatingPolicySpec

(Appears in: MutatingPolicy, MutatingPolicyAutogen)

MutatingPolicySpec is the specification of the desired behavior of the MutatingPolicy.

Field Description
matchConstraints *
admissionregistration/v1alpha1.MatchResources

MatchConstraints specifies what resources this policy is designed to evaluate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

failurePolicy
admissionregistration/v1alpha1.FailurePolicyType

failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

failurePolicy does not define how validations that evaluate to false are handled.

When failurePolicy is set to Fail, the validationActions field define how failures are enforced.

Allowed values are Ignore or Fail. Defaults to Fail.

matchConditions
[]admissionregistration/v1alpha1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

The exact matching logic is (in order):

  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
  3. If any matchCondition evaluates to an error (but none are FALSE):
    • If failurePolicy=Fail, reject the request
    • If failurePolicy=Ignore, the policy is skipped
variables
[]admissionregistration/v1alpha1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

autogen
MutatingPolicyAutogenConfiguration

AutogenConfiguration defines the configuration for the generation controller.

targetMatchConstraints
admissionregistration/v1alpha1.MatchResources

TargetMatchConstraints specifies what target mutation resources this policy is designed to evaluate.

mutations
[]admissionregistration/v1alpha1.Mutation

mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

evaluation
MutatingPolicyEvaluationConfiguration

EvaluationConfiguration defines the configuration for mutating policy evaluation.

reinvocationPolicy *
admissionregistration/v1alpha1.ReinvocationPolicyType

reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".

Never: These mutations will not be called more than once per binding in a single admission evaluation.

IfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.

MutatingPolicyStatus

(Appears in: MutatingPolicy)

Field Description
conditionStatus
ConditionStatus
autogen
MutatingPolicyAutogenStatus
generated
bool

Generated indicates whether a MutatingAdmissionPolicy is generated from the policy or not

Notary

(Appears in: Attestor)

Notary defines attestor configuration for Notary based signatures

Field Description
certs
StringOrExpression

Certs define the cert chain for Notary signature verification

tsaCerts
StringOrExpression

TSACerts define the cert chain for verifying timestamps of notary signature

OrphanDownstreamOnPolicyDeleteConfiguration

(Appears in: GeneratingPolicyEvaluationConfiguration)

OrphanDownstreamOnPolicyDeleteConfiguration defines the configuration for orphaning downstream resources on policy delete.

Field Description
enabled
bool

Enabled controls whether generated resources should be deleted when the policy that generated them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type. Optional. Defaults to "false" if not specified.

PodControllersGenerationConfiguration

(Appears in: ImageValidatingPolicyAutogenConfiguration, MutatingPolicyAutogenConfiguration, ValidatingPolicyAutogenConfiguration)

Field Description
controllers *
[]string

PolicyExceptionSpec

(Appears in: PolicyException)

PolicyExceptionSpec stores policy exception spec

Field Description
policyRefs *
[]PolicyRef

PolicyRefs identifies the policies to which the exception is applied.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.

PolicyRef

(Appears in: PolicyExceptionSpec)

Field Description
name *
string

Name is the name of the policy

kind *
string

Kind is the kind of the policy

Referrer

(Appears in: Attestation)

Field Description
type *
string

Type defines the type of attestation attached to the image.

Source

(Appears in: Cosign)

Source specifies the location of the signature / attestations.

Field Description
repository
string

Repository defines the location from where to pull the signature / attestations.

PullSecrets
[]core/v1.LocalObjectReference

SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.

tagPrefix
string

TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these.

StringOrExpression

(Appears in: Certificate, Notary)

StringOrExpression contains either a raw string input or a CEL expression

Field Description
value
string

Value defines the raw string input.

expression
string

Expression defines the a CEL expression input.

SynchronizationConfiguration

(Appears in: GeneratingPolicyEvaluationConfiguration)

SynchronizationConfiguration defines the configuration for the synchronization of generated resources.

Field Description
enabled
bool

Enabled controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to "true" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified.

TUF

(Appears in: Cosign)

TUF defines the configuration to fetch sigstore root

Field Description
root
TUFRoot

Root defines the path or data of the trusted root

mirror
string

Mirror is the base URL of Sigstore TUF repository

TUFRoot

(Appears in: TUF)

TUFRoot defines the path or data of the trusted root

Field Description
path
string

Path is the URL or File location of the TUF root

data
string

Data is the base64 encoded TUF root

Target

(Appears in: ImageValidatingPolicyAutogen, MutatingPolicyAutogen, ValidatingPolicyAutogen)

Field Description
group *
string
version *
string
resource *
string
kind *
string

ValidatingPolicyAutogen

(Appears in: ValidatingPolicyAutogenStatus)

Field Description
targets *
[]Target
spec *
ValidatingPolicySpec


ValidatingPolicyAutogenConfiguration

(Appears in: ValidatingPolicySpec)

Field Description
podControllers *
PodControllersGenerationConfiguration

PodControllers specifies whether to generate a pod controllers rules.

validatingAdmissionPolicy *
VapGenerationConfiguration

ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.

ValidatingPolicyAutogenStatus

(Appears in: ValidatingPolicyStatus)

Field Description
configs *
map[string]ValidatingPolicyAutogen

ValidatingPolicySpec

(Appears in: ValidatingPolicy, ValidatingPolicyAutogen)

ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.

Field Description
matchConstraints *
admissionregistration/v1.MatchResources

MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches all Constraints. Required.

validations
[]admissionregistration/v1.Validation

Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.

failurePolicy
admissionregistration/v1.FailurePolicyType

failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.

failurePolicy does not define how validations that evaluate to false are handled.

When failurePolicy is set to Fail, the validationActions field define how failures are enforced.

Allowed values are Ignore or Fail. Defaults to Fail.

auditAnnotations
[]admissionregistration/v1.AuditAnnotation

auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.

matchConditions
[]admissionregistration/v1.MatchCondition

MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

If a parameter object is provided, it can be accessed via the params handle in the same manner as validation expressions.

The exact matching logic is (in order):

  1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
  2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
  3. If any matchCondition evaluates to an error (but none are FALSE):
    • If failurePolicy=Fail, reject the request
    • If failurePolicy=Ignore, the policy is skipped
variables
[]admissionregistration/v1.Variable

Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under variables in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.

The expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.

autogen
ValidatingPolicyAutogenConfiguration

AutogenConfiguration defines the configuration for the generation controller.

validationActions *
[]admissionregistration/v1.ValidationAction

ValidationAction specifies the action to be taken when the matched resource violates the policy. Required.

webhookConfiguration
WebhookConfiguration

WebhookConfiguration defines the configuration for the webhook.

evaluation
EvaluationConfiguration

EvaluationConfiguration defines the configuration for the policy evaluation.

ValidatingPolicyStatus

(Appears in: ValidatingPolicy)

Field Description
conditionStatus
ConditionStatus
autogen
ValidatingPolicyAutogenStatus
generated
bool

Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not

ValidationConfiguration

(Appears in: ImageValidatingPolicySpec)

Field Description
mutateDigest
bool

MutateDigest enables replacement of image tags with digests. Defaults to true.

verifyDigest
bool

VerifyDigest validates that images have a digest.

required
bool

Required validates that images are verified, i.e., have passed a signature or attestation check.

VapGenerationConfiguration

(Appears in: ValidatingPolicyAutogenConfiguration)

Field Description
enabled *
bool

Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy. Optional. Defaults to "false" if not specified.

WebhookConfiguration

(Appears in: GeneratingPolicySpec, ImageValidatingPolicySpec, MutatingPolicySpec, ValidatingPolicySpec)

Field Description
timeoutSeconds *
int32

TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.